{"id":"MAL-2026-4359","summary":"Malicious code in @agora-sdk/react-js (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9febb9d8dda2eea07ef909b9713ca6531c4a5b51a75fd730a312bec8d8a11135)\nPackage is published under the '@agora-sdk' scope, strongly associated with Agora.io's real-time-communications SDKs, but its actual contents are a fork of @replyke/react-js (exports ReplykeProvider, useReplykeDispatch, selectAccessToken; storage keys 'replyke-accounts:'). A header comment in dist/cjs/hooks/useOAuthSignIn.js explicitly states the original Replyke OAuth base URL was 'repointed... to a self-hosted, Replyke-compatible Agora backend' by a third-party author. useOAuthSignIn POSTs `${getApiBaseUrl()}/${projectId}/oauth/(authorize|link)` with provider/redirect data and unconditionally redirects the user to the response's `authorizationUrl`; the base URL is supplied by sibling package @agora-sdk/core (same publisher), so the entire OAuth initiation and token-issuance path is controlled by the package author rather than by Replyke or by the consuming application. Access and refresh tokens parsed from the post-OAuth URL fragment are persisted under storage keys consumers expect to be Replyke-issued. Net effect on an integrator: end-user OAuth sessions for any application built against this 'Agora SDK' are intermediated by an author-chosen backend, enabling silent token interception and session impersonation. The combination of namespace impersonation of a well-known vendor (Agora.io) plus a covert redirect of an unrelated upstream library's auth endpoint is a deliberate supply-chain deception, not a fork in good faith.\n","modified":"2026-05-27T00:32:01.030859459Z","published":"2026-05-25T08:03:02Z","withdrawn":"2026-05-26T19:42:47Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-05-25T08:03:02Z","import_time":"2026-05-26T05:52:54.64311122Z","id":"IN-MAL-2026-004595","versions":["1.0.2"],"source":"amazon-inspector","sha256":"1aa4cac1867c97f5be37d67a778eb5bf92f6ef1121eb173d870901428aaad1bc"},{"import_time":"2026-05-26T05:52:55.044678722Z","modified_time":"2026-05-25T08:11:12Z","id":"IN-MAL-2026-004598","versions":["1.0.3"],"source":"amazon-inspector","sha256":"9febb9d8dda2eea07ef909b9713ca6531c4a5b51a75fd730a312bec8d8a11135"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@agora-sdk/react-js/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/@agora-sdk/react-js/v/1.0.3"}],"affected":[{"package":{"name":"@agora-sdk/react-js","ecosystem":"npm","purl":"pkg:npm/%40agora-sdk%2Freact-js"},"versions":["1.0.2","1.0.3"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"77b1955316a301a15bb385d57b47a817b03b504b3d9ce150754e4b982f0f88e8f27ada","path":"dist/cjs/hooks/useOAuthSignIn.js","sha256":"84d891c093f1955f1fed2b7d154cfec3e503b38708cf9f7f65baa4dffab7671d"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-yJJDitOnCzEIdOPToCa1wQxPdji/ZU5PGm3R8UUqWGzC4dn7Ac1mOt8em4FGe4c33mhodD8WbuAR9sny2DVT4w==","sha1":"956c037c2d3970c3a4b040fc83bb8c0c78088a27"},"filename":"react-js-1.0.2.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@agora-sdk/react-js/MAL-2026-4359.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}