registry  /  react-hook-scripts  /  5.4.2

react-hook-scripts@5.4.2

A collection of reusable React utilities, helper functions, SVG tools, networking utilities, and development scripts for modern web applications.

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10684 confirms this npm version as malicious. The package's default export `getPlugin` fetches a JSON document from the hardcoded endpoint https://svganchordev.net/icons/108 and passes the returned `credits` field to `new Function('require','module','exports',...,'Promise', data.credits)`, executing the server-supplied string as JavaScript with full Node.js globals (require, process, Buffer) available...

Advisory
MAL-2026-10684
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in react-hook-scripts (npm)
Details
The package's default export `getPlugin` fetches a JSON document from the hardcoded endpoint https://svganchordev.net/icons/108 and passes the returned `credits` field to `new Function('require','module','exports',...,'Promise', data.credits)`, executing the server-supplied string as JavaScript with full Node.js globals (require, process, Buffer) available. The remote URL is assembled by concatenating protocol/separator/domain/path fragments and the request is framed with an `bearrtoken: "logo"` header and an icon-retrieval path, disguising a remote code loader as an SVG helper despite the package's advertised role as a React/SVG utility. Declared dependencies (@primno/dpapi for Windows DPAPI decryption, better-sqlite3, node-machine-id) are consistent with a credential and host-fingerprint stealer stage delivered by the fetched payload. Any caller of the advertised API triggers execution of arbitrary attacker-controlled code on the installer's host, and the payload can be changed server-side at any time.
Decision reason
OpenSSF Malicious Packages via OSV confirms react-hook-scripts@5.4.2 as malicious (MAL-2026-10684): Malicious code in react-hook-scripts (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory