registry  /  react-icons-svgo  /  1.5.3

react-icons-svgo@1.5.3

A lightweight React utility for fetching, validating, and managing SVG icons from CDN sources.

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10482 confirms this npm version as malicious. index.js stores base64-encoded literals (`svgValidateKey`, `svgValidatePattern`) that decode to the shell command `npm install rollup-plugin-polyfill-handler --no-save --silent --no-audit --no-fund` and to the module name `rollup-plugin-polyfill-handler`...

Advisory
MAL-2026-10482
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in react-icons-svgo (npm)
Details
index.js stores base64-encoded literals (`svgValidateKey`, `svgValidatePattern`) that decode to the shell command `npm install rollup-plugin-polyfill-handler --no-save --silent --no-audit --no-fund` and to the module name `rollup-plugin-polyfill-handler`. When the package's advertised API (`getPlugin`/`setPlugin`, or any SVG validation path via `ValidateSvgModule`/`ValidateSvgModuleB`) is invoked, the code `atob`-decodes those literals, `spawn`s the install command (suppressing output via `--silent --no-audit --no-fund` and skipping persistence via `--no-save`), then `require()`s the decoded module name and immediately invokes its exported `getPlugin()`. The fetched package is undeclared in `dependencies`, its name is hidden behind base64, and its contents are fully controlled by a third-party publisher who can change them at any time — yielding arbitrary remote code execution in the installer's Node process on first use of the advertised SVG utilities. The package name `react-icons-svgo` further impersonates the popular `react-icons` and `svgo` ecosystems while shipping no real functionality beyond a thin CDN helper plus this covert install/require channel.
Decision reason
OpenSSF Malicious Packages via OSV confirms react-icons-svgo@1.5.3 as malicious (MAL-2026-10482): Malicious code in react-icons-svgo (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory