registry  /  @react-case/option  /  1.0.0

@react-case/option@1.0.0

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10626 confirms this npm version as malicious. The package's main entrypoint (index.js) is heavily obfuscated with a string-array + RC4-style decoder that reconstructs all API names and the target URL at runtime...

Advisory
MAL-2026-10626
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @react-case/option (npm)
Details
The package's main entrypoint (index.js) is heavily obfuscated with a string-array + RC4-style decoder that reconstructs all API names and the target URL at runtime. On module load it requires fs, os, path, crypto, and child_process, performs an HTTP GET against the runtime-reconstructed remote host, splits the response on ':', decrypts the parts with createDecipheriv using a hardcoded key/IV, writes the resulting bytes to a file under os.homedir(), and executes that file via child_process with cwd set to the user's home directory and windowsHide:true. The package ships no README, has an empty description and empty author metadata, and there is no legitimate library functionality — the only effect of requiring it is fetch-decrypt-write-exec of attacker-controlled code on the installer's machine.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
SourceNo risky source behavior triggered.
Supply chain
HighEntropyStringsMinifiedTrivial
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 23.6 KB of source

Source & flagged code

1 flagged · loading source
index.jsView file
1function c(b,d){b=b-(0x1f+0x13eb+-0x1352);var e=a();var f=e[b];if(c['PBIPEn']===undefined){var g=function(l){var m='[redacted]+/...
High
Obfuscated Payload Loader

Source contains an obfuscator-style string-array loader that reconstructs and executes hidden code.

index.jsView on unpkg · L1

Findings

1 High1 Medium2 Low
HighObfuscated Payload Loaderindex.js
MediumStructural Risk Force Deep Review
LowScripts Present
LowHigh Entropy Strings