Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in react-hook-scripts (npm)

react-hook-scripts

Risk score

92

AI summary

Indexed incident for react-hook-scripts (npm).

Description

The package's default export getPlugin fetches a JSON document from the hardcoded endpoint https://svganchordev.net/icons/108 and passes the returned credits field to new Function('require','module','exports',...,'Promise', data.credits), executing the server-supplied string as JavaScript with full Node.js globals (require, process, Buffer) available. The remote URL is assembled by concatenating protocol/separator/domain/path fragments and the request is framed with an bearrtoken: "logo" header and an icon-retrieval path, disguising a remote code loader as an SVG helper despite the package's advertised role as a React/SVG utility. Declared dependencies (@primno/dpapi for Windows DPAPI decryption, better-sqlite3, node-machine-id) are consistent with a credential and host-fingerprint stealer stage delivered by the fetched payload. Any caller of the advertised API triggers execution of arbitrary attacker-controlled code on the installer's host, and the payload can be changed server-side at any time.

Technical details

Affected versions

=5.4.2

Indicators

  • affected version=5.4.275%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents