VDB
EN

MAL-2026-10482

Malicious code in react-icons-svgo (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d0ccdc7a601182ae60a4f75d72cb54aef12fbe94cb209625f6f1c9be47b12096) index.js stores base64-encoded literals (`svgValidateKey`, `svgValidatePattern`) that decode to the shell command `npm install rollup-plugin-polyfill-handler --no-save --silent --no-audit --no-fund` and to the module name `rollup-plugin-polyfill-handler`. When the package's advertised API (`getPlugin`/`setPlugin`, or any SVG validation path via `ValidateSvgModule`/`ValidateSvgModuleB`) is invoked, the code `atob`-decodes those literals, `spawn`s the install command (suppressing output via `--silent --no-audit --no-fund` and skipping persistence via `--no-save`), then `require()`s the decoded module name and immediately invokes its exported `getPlugin()`. The fetched package is undeclared in `dependencies`, its name is hidden behind base64, and its contents are fully controlled by a third-party publisher who can change them at any time — yielding arbitrary remote code execution in the installer's Node process on first use of the advertised SVG utilities. The package name `react-icons-svgo` further impersonates the popular `react-icons` and `svgo` ecosystems while shipping no real functionality beyond a thin CDN helper plus this covert install/require channel.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / react-icons-svgo

No fixed version published yet for react-icons-svgo (npm). Pin to a known-safe version or switch to an alternative.

참고