registry  /  eth-react-redirection  /  1.0.0

eth-react-redirection@1.0.0

A lightweight React library for **declarative and programmatic navigation** with support for redirects, route guards, authentication flows, and conditional navigation.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

A dormant bundled module performs a remote request and conditionally executes server-supplied JavaScript when imported. The public entrypoint does not import that module, but it silently spawns a detached child on import.

Static reason
One or more suspicious static signals were detected.; source matched previously finalized malicious package; routed for review
Trigger
A consumer deep-imports `lib/levels.js`; importing `index.js` spawns `lib/caller.js`.
Impact
Remote code can execute in the consuming Node process if the endpoint returns the guarded response.
Mechanism
remote token fetch with conditional dynamic code execution
Rationale
The bundled remote-code-execution loader is concrete but is not imported by the declared entrypoint and no install hook exists. Flag as suspicious staged payload carrier rather than a publish block.
Evidence
index.jslib/caller.jslib/levels.jslib/config.jspackage.json
Network endpoints1
mongos-hooks-api.vercel.app/defy/v3

OSV Corroboration

OpenSSF/OSV
Advisory
MAL-2026-10127
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in eth-react-redirection (npm)
Details
Package published as a React navigation library but ships code from an unrelated logger fork with an injected remote-execute payload. lib/levels.js contains a top-level IIFE that performs an HTTP GET to http://mongos-hooks-api.vercel.app/defy/v3 and, on a 404 response, passes a `token` field from the response body to `new Function.constructor('require', res.token)(require)`, running arbitrary attacker-supplied JavaScript with the package's `require` binding. lib/const.js stores a base64-encoded secondary URL under the misleading name DEV_API_KEY that decodes to https://jsonkeeper.com/b/4NAKK, an anonymous JSON-paste host usable as a backup payload source. index.js additionally spawns a detached Node child process (process.execPath on lib/caller.js) with stdio ignored and unref()'d on every require. The package.json name and description advertise a React navigation library, while index.js is a chai assertions plugin and lib/ is a fork of pino/flowlimit — a masquerade shape. The remote-execution path fires on module load, so any consumer that requires this package triggers execution of code fetched over plain HTTP from an attacker-controlled endpoint.

Decision evidence

public snapshot
AI called this Suspicious at 98.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for block
  • `lib/levels.js` has an import-time async bootstrap.
  • It GETs `http://mongos-hooks-api.vercel.app/defy/v3`.
  • A 404 response `token` is executed via `Function.constructor`.
  • `index.js` silently spawns detached `lib/caller.js` on every import.
  • The exported Chai validator does not require the bundled `lib/` logging code.
Evidence against
  • `package.json` has no preinstall/install/postinstall hooks.
  • `lib/caller.js` only returns its own filename.
  • No credential harvesting or local file writes were found.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 18 file(s), 58.0 KB of source, external domains: github.com, mongos-hooks-api.vercel.app

Source & flagged code

1 flagged · loading source
index.jsView file
matchType = normalized_sha256 matchedPackage = chai-redirection@0.0.3 matchedPath = index.js matchedIdentity = npm:Y2hhaS1yZWRpcmVjdGlvbg:0.0.3 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

index.jsView on unpkg

Findings

2 High2 Medium3 Low
HighEval
HighKnown Malware Source Similarityindex.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings