npm

eth-react-redirection @1.0.2

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10127

Ecosystem

npm

Summary

On require(), index.js calls callCallerAsOrigin() which spawns lib/caller.js as a detached, stdio-ignored child process (spawn(process.execPath, [script], { detached: true, stdio: 'ignore' }); child.unref()). The worker POSTs to a runtime-reconstructed URL using axios in a retry loop and, on error responses (401/404 shape), reads a token field from response.data and passes it to new module.exports.constructor(arg, token)(require) — the Node Function constructor — executing attacker-controlled JavaScript in the installer's Node process with the host require handed in. lib/caller.js and lib/config.js are wrapped in Function(name, "...")({...}) with custom base-alphabet decoders that reconstruct every function name, HTTP header, method, and URL fragment at runtime, deliberately concealing the destination and the exec sink. Package metadata is a cover story: package.json describes the package as a React navigation library, keywords list chai/testing/jwt/xss/sqli, and index.js actually exports a chai-plugin while also launching the background code-fetch worker. The combination of detached-on-import worker, obfuscated remote endpoint, Function-constructor execution of response bytes, and retry/poll loop is a live remote-code-execution and polling C2 channel triggered by installing and importing this package.

Source: amazon-inspector (cbd414dae34760c2eda09d2093a62a14d694f759350676e88229319a16594e78)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.