mui-option @1.0.0
Vulnerability report · Last retrieved from osv.dev July 16, 2026 at 7:58 PM UTC
OSV ID
MAL-2026-10738
Ecosystem
npm
Summary
The sole shipped file index.js is heavily obfuscated with a base64+RC4 string-array decoder that hides all module names, URLs, and method identifiers. On import (main entrypoint), it requires child_process, os, fs, path, crypto and https, issues an https.get to a runtime-decoded URL, splits the response on ':' into an IV and ciphertext, derives a key with crypto.scryptSync, decrypts the payload with crypto.createDecipheriv, writes the decrypted bytes to a file under os.tmpdir(), and executes that file via child_process.exec. The package has no legitimate advertised functionality, its name resembles the MUI ecosystem, and no other code path exists. Any project that requires mui-option triggers execution of attacker-controlled native code on the installer host. The tarball also ships npm_recovery_codes.txt containing five 64-character hex strings matching the format of npm 2FA recovery codes, suggesting a publishing-account compromise.
Source: amazon-inspector (8e1c3ec117eaeedbd4c3f64c2fec97d44e115d400c7e52082b7d6cc28f7c59ec)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.