npm · Malicious package advisory
Malwareopentiny-react
MAL-2026-4631
Malicious code in opentiny-react (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (70307cffed06951bdb7b961e7846e3b3e0ba660b75ddca0b4fa11366ab94dc6d) The package `opentiny-react` reproduces the source, README, and CHANGELOG of the legitimate `@tinymce/tinymce-react` integration verbatim under a confusable unscoped name. Its `package.json` falsifies the author as 'Ephox Corporation DBA Tiny Technologies, Inc.' while the repository points to `github.com/mild-blue/opentiny-react`, which is not the real Tiny organization (`tinymce/tinymce-react`). The wrapper itself ships no runtime payload, but `package.json` declares `"opentiny": "6.9.31"` as a runtime dependency — a name that mimics `tinymce` and is pinned to the same 6.9.31 version as this wrapper, consistent with a coordinated impersonation cluster. A real `@tinymce/tinymce-react` installation pulls `tinymce`, not `opentiny`. Installing `opentiny-react` silently pulls the attacker-controlled `opentiny` package into the dependency tree where its install-time and import-time code will execute against the installer.
Compromised versions (1)
- 6.9.31
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.