npm · Malicious package advisory
Malwarereact-error-lint
MAL-2026-6137
Malicious code in react-error-lint (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (a084c9e71eac856bf1a1fec025773cc561f9f6677c187d60e055b89c73d846b9) Package name and README impersonate the popular react-error-boundary library (advertising an ErrorBoundary export, citing bvaughn and kentcdodds.com), but index.js exports unrelated helpers `setDefaultModule` and `buildoptimize`. The `buildoptimize` function issues an HTTP request to the hardcoded URL https://vercel-node-rouge-beta.vercel.app/icons/23 and passes the response body to `eval(JSON.parse(b))` with no integrity check. Any caller that invokes `buildoptimize()` runs whatever JavaScript the attacker-controlled Vercel preview endpoint returns at that moment, granting remote code execution on the installer's machine. The advertised ErrorBoundary API does not exist, confirming the package is a lure rather than a misnamed legitimate library.
Compromised versions (1)
- 1.1.6
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.