{"id":"MAL-2026-10127","summary":"Malicious code in eth-react-redirection (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (581bd6ff87fb89c83d76fffd9fac9aab57039cd200f8d9f8991ce3a997511644)\nPackage published as a React navigation library but ships code from an unrelated logger fork with an injected remote-execute payload. lib/levels.js contains a top-level IIFE that performs an HTTP GET to http://mongos-hooks-api.vercel.app/defy/v3 and, on a 404 response, passes a `token` field from the response body to `new Function.constructor('require', res.token)(require)`, running arbitrary attacker-supplied JavaScript with the package's `require` binding. lib/const.js stores a base64-encoded secondary URL under the misleading name DEV_API_KEY that decodes to https://jsonkeeper.com/b/4NAKK, an anonymous JSON-paste host usable as a backup payload source. index.js additionally spawns a detached Node child process (process.execPath on lib/caller.js) with stdio ignored and unref()'d on every require. The package.json name and description advertise a React navigation library, while index.js is a chai assertions plugin and lib/ is a fork of pino/flowlimit — a masquerade shape. The remote-execution path fires on module load, so any consumer that requires this package triggers execution of code fetched over plain HTTP from an attacker-controlled endpoint.\n","modified":"2026-07-10T15:32:11.966832214Z","published":"2026-07-10T15:19:41Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","versions":["1.0.0"],"import_time":"2026-07-10T15:23:37.331898287Z","sha256":"581bd6ff87fb89c83d76fffd9fac9aab57039cd200f8d9f8991ce3a997511644","id":"IN-MAL-2026-009615","modified_time":"2026-07-10T15:19:41Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/eth-react-redirection/v/1.0.0"}],"affected":[{"package":{"name":"eth-react-redirection","ecosystem":"npm","purl":"pkg:npm/eth-react-redirection"},"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eth-react-redirection/MAL-2026-10127.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-bO4ifiCEKWzqg7EXmDBvjaiUiIFbfXIVWTk2b+0sMR/bTcleMSFEQWHkcGPeAJcPr2UpKcd3uQYv6LX+VV73Qg==","sha1":"72c8bcdb10e8f0a06a5d4974907b2df2af5bac4b"},"filename":"eth-react-redirection-1.0.0.tgz"}],"evidence_files":[{"sha256":"7750397a04f8b936610251ceb6d8b5aa1f2f0c45298935b3bdd8e1e82bc9e24b","tlsh":"cff1a43279f460228a1664f5490fb821b176c50b300db9d9f1ae97a43f8f02d9e33b9d","path":"lib/levels.js"},{"sha256":"d10853dde92fdc48d8cb5505d89e0030fd35e1416a16a820fe5ec4aceef01c4f","path":"lib/const.js","tlsh":"b9c08c8351f0684b04301bb3a50ca991f2a1d26f0884160231f564844b396a92848fb7"},{"sha256":"195c47d5205f56ae30ddd48a1ffbefb40c230264ca4127379b8d4fee15e5da88","tlsh":"dfc1cfa839a3e0188523b1f5097fa416d476a027202dd9d8b5ecc2d01fddee89523dfb","path":"index.js"},{"sha256":"2da9a1d64d808db1e2c8821f6efbcca7ae7edbfc0f9eb68684ad2e645e37c089","path":"package.json","tlsh":"cd21bea5d868ac6319ca2591a8690457a136dd078c1cfc0d33e3835c8f9e96f05be73d"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}