registry  /  mui-option  /  1.0.0

mui-option@1.0.0

OSV Malicious Advisory

scanned 14h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10738 confirms this npm version as malicious. The sole shipped file index.js is heavily obfuscated with a base64+RC4 string-array decoder that hides all module names, URLs, and method identifiers. On import (main entrypoint), it requires child_process, os, fs, path, crypto and https, issues an https.get to a runtime-decoded URL, splits the response on ':' into an IV and ciphertext, derives a key with crypto.scryptSync, decrypts the payload with...

Advisory
MAL-2026-10738
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in mui-option (npm)
Details
The sole shipped file index.js is heavily obfuscated with a base64+RC4 string-array decoder that hides all module names, URLs, and method identifiers. On import (main entrypoint), it requires child_process, os, fs, path, crypto and https, issues an https.get to a runtime-decoded URL, splits the response on ':' into an IV and ciphertext, derives a key with crypto.scryptSync, decrypts the payload with crypto.createDecipheriv, writes the decrypted bytes to a file under os.tmpdir(), and executes that file via child_process.exec. The package has no legitimate advertised functionality, its name resembles the MUI ecosystem, and no other code path exists. Any project that requires mui-option triggers execution of attacker-controlled native code on the installer host. The tarball also ships npm_recovery_codes.txt containing five 64-character hex strings matching the format of npm 2FA recovery codes, suggesting a publishing-account compromise.
Decision reason
OpenSSF Malicious Packages via OSV confirms mui-option@1.0.0 as malicious (MAL-2026-10738): Malicious code in mui-option (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory