npm

eth-react-redirection @1.0.0

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 4:33 PM UTC

Malicious

OSV ID

MAL-2026-10127

Ecosystem

npm

Summary

Package published as a React navigation library but ships code from an unrelated logger fork with an injected remote-execute payload. lib/levels.js contains a top-level IIFE that performs an HTTP GET to http://mongos-hooks-api.vercel.app/defy/v3 and, on a 404 response, passes a token field from the response body to new Function.constructor('require', res.token)(require) , running arbitrary attacker-supplied JavaScript with the package's require binding. lib/const.js stores a base64-encoded secondary URL under the misleading name DEV_API_KEY that decodes to https://jsonkeeper.com/b/4NAKK, an anonymous JSON-paste host usable as a backup payload source. index.js additionally spawns a detached Node child process (process.execPath on lib/caller.js) with stdio ignored and unref()'d on every require. The package.json name and description advertise a React navigation library, while index.js is a chai assertions plugin and lib/ is a fork of pino/flowlimit — a masquerade shape. The remote-execution path fires on module load, so any consumer that requires this package triggers execution of code fetched over plain HTTP from an attacker-controlled endpoint.

Source: amazon-inspector (581bd6ff87fb89c83d76fffd9fac9aab57039cd200f8d9f8991ce3a997511644)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.