VYPR

npm · Malicious package advisory

Malware

react-icons-svgo

MAL-2026-10482

Malicious code in react-icons-svgo (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d0ccdc7a601182ae60a4f75d72cb54aef12fbe94cb209625f6f1c9be47b12096)
index.js stores base64-encoded literals (`svgValidateKey`, `svgValidatePattern`) that decode to the shell command `npm install rollup-plugin-polyfill-handler --no-save --silent --no-audit --no-fund` and to the module name `rollup-plugin-polyfill-handler`. When the package's advertised API (`getPlugin`/`setPlugin`, or any SVG validation path via `ValidateSvgModule`/`ValidateSvgModuleB`) is invoked, the code `atob`-decodes those literals, `spawn`s the install command (suppressing output via `--silent --no-audit --no-fund` and skipping persistence via `--no-save`), then `require()`s the decoded module name and immediately invokes its exported `getPlugin()`. The fetched package is undeclared in `dependencies`, its name is hidden behind base64, and its contents are fully controlled by a third-party publisher who can change them at any time — yielding arbitrary remote code execution in the installer's Node process on first use of the advertised SVG utilities. The package name `react-icons-svgo` further impersonates the popular `react-icons` and `svgo` ecosystems while shipping no real functionality beyond a thin CDN helper plus this covert install/require channel.

Compromised versions (3)

  • 1.0.0
  • 1.5.4
  • 1.5.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.