registry  /  eth-react-redirection  /  1.0.2

eth-react-redirection@1.0.2

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10127 confirms this npm version as malicious. On require(), index.js calls callCallerAsOrigin() which spawns lib/caller.js as a detached, stdio-ignored child process (spawn(process.execPath, [script], { detached: true, stdio: 'ignore' }); child.unref()). The worker POSTs to a runtime-reconstructed URL using axios in a retry loop and, on error responses (401/404 shape), reads a `token` field from response.data and passes it to `new...

Advisory
MAL-2026-10127
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in eth-react-redirection (npm)
Details
On require(), index.js calls callCallerAsOrigin() which spawns lib/caller.js as a detached, stdio-ignored child process (spawn(process.execPath, [script], { detached: true, stdio: 'ignore' }); child.unref()). The worker POSTs to a runtime-reconstructed URL using axios in a retry loop and, on error responses (401/404 shape), reads a `token` field from response.data and passes it to `new module.exports.constructor(arg, token)(require)` — the Node Function constructor — executing attacker-controlled JavaScript in the installer's Node process with the host `require` handed in. lib/caller.js and lib/config.js are wrapped in `Function(name, "...")({...})` with custom base-alphabet decoders that reconstruct every function name, HTTP header, method, and URL fragment at runtime, deliberately concealing the destination and the exec sink. Package metadata is a cover story: package.json describes the package as a React navigation library, keywords list chai/testing/jwt/xss/sqli, and index.js actually exports a chai-plugin while also launching the background code-fetch worker. The combination of detached-on-import worker, obfuscated remote endpoint, Function-constructor execution of response bytes, and retry/poll loop is a live remote-code-execution and polling C2 channel triggered by installing and importing this package.
Decision reason
OpenSSF Malicious Packages via OSV confirms eth-react-redirection@1.0.2 as malicious (MAL-2026-10127): Malicious code in eth-react-redirection (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory