VYPR

npm · Malicious package advisory

Malware

react-error-lint

MAL-2026-6137

Malicious code in react-error-lint (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a084c9e71eac856bf1a1fec025773cc561f9f6677c187d60e055b89c73d846b9)
Package name and README impersonate the popular react-error-boundary library (advertising an ErrorBoundary export, citing bvaughn and kentcdodds.com), but index.js exports unrelated helpers `setDefaultModule` and `buildoptimize`. The `buildoptimize` function issues an HTTP request to the hardcoded URL https://vercel-node-rouge-beta.vercel.app/icons/23 and passes the response body to `eval(JSON.parse(b))` with no integrity check. Any caller that invokes `buildoptimize()` runs whatever JavaScript the attacker-controlled Vercel preview endpoint returns at that moment, granting remote code execution on the installer's machine. The advertised ErrorBoundary API does not exist, confirming the package is a lure rather than a misnamed legitimate library.

Compromised versions (1)

  • 1.1.6

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.