Supply-chain threat intelligence
Risk score
92
Indexed incident for react-hook-scripts (npm).
The package's default export getPlugin fetches a JSON document from the hardcoded endpoint https://svganchordev.net/icons/108 and passes the returned credits field to new Function('require','module','exports',...,'Promise', data.credits), executing the server-supplied string as JavaScript with full Node.js globals (require, process, Buffer) available. The remote URL is assembled by concatenating protocol/separator/domain/path fragments and the request is framed with an bearrtoken: "logo" header and an icon-retrieval path, disguising a remote code loader as an SVG helper despite the package's advertised role as a React/SVG utility. Declared dependencies (@primno/dpapi for Windows DPAPI decryption, better-sqlite3, node-machine-id) are consistent with a credential and host-fingerprint stealer stage delivered by the fetched payload. Any caller of the advertised API triggers execution of arbitrary attacker-controlled code on the installer's host, and the payload can be changed server-side at any time.
Affected versions
Indicators
Timeline