OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10626 confirms this npm version as malicious. The package's main entrypoint (index.js) is heavily obfuscated with a string-array + RC4-style decoder that reconstructs all API names and the target URL at runtime...
Advisory
MAL-2026-10626
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @react-case/option (npm)
Details
The package's main entrypoint (index.js) is heavily obfuscated with a string-array + RC4-style decoder that reconstructs all API names and the target URL at runtime. On module load it requires fs, os, path, crypto, and child_process, performs an HTTP GET against the runtime-reconstructed remote host, splits the response on ':', decrypts the parts with createDecipheriv using a hardcoded key/IV, writes the resulting bytes to a file under os.homedir(), and executes that file via child_process with cwd set to the user's home directory and windowsHide:true. The package ships no README, has an empty description and empty author metadata, and there is no legitimate library functionality — the only effect of requiring it is fetch-decrypt-write-exec of attacker-controlled code on the installer's machine.
Decision reason
One or more suspicious static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
HighEntropyStringsMinifiedTrivial
Source & flagged code
1 flagged · loading sourceindex.jsView file
1function c(b,d){b=b-(0x1f+0x13eb+-0x1352);var e=a();var f=e[b];if(c['PBIPEn']===undefined){var g=function(l){var m='[redacted]+/...
High
Obfuscated Payload Loader
Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
index.jsView on unpkg · L1Findings
1 High1 Medium2 Low
HighObfuscated Payload Loaderindex.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings