—

MAL-2026-6137

Malicious code in react-error-lint (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a084c9e71eac856bf1a1fec025773cc561f9f6677c187d60e055b89c73d846b9) Package name and README impersonate the popular react-error-boundary library (advertising an ErrorBoundary export, citing bvaughn and kentcdodds.com), but index.js exports unrelated helpers `setDefaultModule` and `buildoptimize`. The `buildoptimize` function issues an HTTP request to the hardcoded URL https://vercel-node-rouge-beta.vercel.app/icons/23 and passes the response body to `eval(JSON.parse(b))` with no integrity check. Any caller that invokes `buildoptimize()` runs whatever JavaScript the attacker-controlled Vercel preview endpoint returns at that moment, granting remote code execution on the installer's machine. The advertised ErrorBoundary API does not exist, confirming the package is a lure rather than a misnamed legitimate library.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / react-error-lint

No fixed version published yet for react-error-lint (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/react-error-lint/v/1.1.6 [PACKAGE]