VDB
KO

MAL-2026-10127

Malicious code in eth-react-redirection (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (581bd6ff87fb89c83d76fffd9fac9aab57039cd200f8d9f8991ce3a997511644) Package published as a React navigation library but ships code from an unrelated logger fork with an injected remote-execute payload. lib/levels.js contains a top-level IIFE that performs an HTTP GET to http://mongos-hooks-api.vercel.app/defy/v3 and, on a 404 response, passes a `token` field from the response body to `new Function.constructor('require', res.token)(require)`, running arbitrary attacker-supplied JavaScript with the package's `require` binding. lib/const.js stores a base64-encoded secondary URL under the misleading name DEV_API_KEY that decodes to https://jsonkeeper.com/b/4NAKK, an anonymous JSON-paste host usable as a backup payload source. index.js additionally spawns a detached Node child process (process.execPath on lib/caller.js) with stdio ignored and unref()'d on every require. The package.json name and description advertise a React navigation library, while index.js is a chai assertions plugin and lib/ is a fork of pino/flowlimit — a masquerade shape. The remote-execution path fires on module load, so any consumer that requires this package triggers execution of code fetched over plain HTTP from an attacker-controlled endpoint.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / eth-react-redirection

No fixed version published yet for eth-react-redirection (npm). Pin to a known-safe version or switch to an alternative.

References