{"id":"MAL-2026-4631","summary":"Malicious code in opentiny-react (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (70307cffed06951bdb7b961e7846e3b3e0ba660b75ddca0b4fa11366ab94dc6d)\nThe package `opentiny-react` reproduces the source, README, and CHANGELOG of the legitimate `@tinymce/tinymce-react` integration verbatim under a confusable unscoped name. Its `package.json` falsifies the author as 'Ephox Corporation DBA Tiny Technologies, Inc.' while the repository points to `github.com/mild-blue/opentiny-react`, which is not the real Tiny organization (`tinymce/tinymce-react`). The wrapper itself ships no runtime payload, but `package.json` declares `\"opentiny\": \"6.9.31\"` as a runtime dependency — a name that mimics `tinymce` and is pinned to the same 6.9.31 version as this wrapper, consistent with a coordinated impersonation cluster. A real `@tinymce/tinymce-react` installation pulls `tinymce`, not `opentiny`. Installing `opentiny-react` silently pulls the attacker-controlled `opentiny` package into the dependency tree where its install-time and import-time code will execute against the installer.\n","modified":"2026-05-27T00:32:06.805630029Z","published":"2026-05-25T10:31:12Z","withdrawn":"2026-05-26T22:13:04Z","database_specific":{"malicious-packages-origins":[{"sha256":"70307cffed06951bdb7b961e7846e3b3e0ba660b75ddca0b4fa11366ab94dc6d","id":"IN-MAL-2026-004622","import_time":"2026-05-26T05:52:58.03041246Z","versions":["6.9.31"],"source":"amazon-inspector","modified_time":"2026-05-25T10:31:12Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/opentiny-react/v/6.9.31"}],"affected":[{"package":{"name":"opentiny-react","ecosystem":"npm","purl":"pkg:npm/opentiny-react"},"versions":["6.9.31"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/opentiny-react/MAL-2026-4631.json","indicators":{"package_integrity":[{"filename":"opentiny-react-6.9.31.tgz","hashes":{"sha512_sri":"sha512-Pope4ceD4EBFVlz8FHwDmBPy7MkJ4Agg3ljCALxO4dBIpp3/H+m3CFBf6vQZw4PH1kMh7tGzosUWiUZmFlKx1A==","sha1":"4fd20762cb62c4590822914994aeabb5ed17e536"}}],"evidence_files":[{"sha256":"3f178d3fc775b053e8565c1a417431e410746b7758ac305e9e2723d9c2476d11","path":"package.json","tlsh":"c2510048c8298cb32dca0298aa741b52e43c44031c61fc4c37e243ad4f5d66f627cbae"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}