npm · Malicious package advisory
Malwareeth-react-redirection
MAL-2026-10127
Malicious code in eth-react-redirection (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (cbd414dae34760c2eda09d2093a62a14d694f759350676e88229319a16594e78)
On require(), index.js calls callCallerAsOrigin() which spawns lib/caller.js as a detached, stdio-ignored child process (spawn(process.execPath, [script], { detached: true, stdio: 'ignore' }); child.unref()). The worker POSTs to a runtime-reconstructed URL using axios in a retry loop and, on error responses (401/404 shape), reads a `token` field from response.data and passes it to `new module.exports.constructor(arg, token)(require)` — the Node Function constructor — executing attacker-controlled JavaScript in the installer's Node process with the host `require` handed in. lib/caller.js and lib/config.js are wrapped in `Function(name, "...")({...})` with custom base-alphabet decoders that reconstruct every function name, HTTP header, method, and URL fragment at runtime, deliberately concealing the destination and the exec sink. Package metadata is a cover story: package.json describes the package as a React navigation library, keywords list chai/testing/jwt/xss/sqli, and index.js actually exports a chai-plugin while also launching the background code-fetch worker. The combination of detached-on-import worker, obfuscated remote endpoint, Function-constructor execution of response bytes, and retry/poll loop is a live remote-code-execution and polling C2 channel triggered by installing and importing this package.
Compromised versions (3)
- 1.0.0
- 1.0.1
- 1.0.2
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.