npm

react-hook-scripts @5.4.2

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 9:54 PM UTC

Malicious

OSV ID

MAL-2026-10684

Ecosystem

npm

Summary

The package's default export getPlugin fetches a JSON document from the hardcoded endpoint https://svganchordev.net/icons/108 and passes the returned credits field to new Function('require','module','exports',...,'Promise', data.credits) , executing the server-supplied string as JavaScript with full Node.js globals (require, process, Buffer) available. The remote URL is assembled by concatenating protocol/separator/domain/path fragments and the request is framed with an bearrtoken: "logo" header and an icon-retrieval path, disguising a remote code loader as an SVG helper despite the package's advertised role as a React/SVG utility. Declared dependencies (@primno/dpapi for Windows DPAPI decryption, better-sqlite3, node-machine-id) are consistent with a credential and host-fingerprint stealer stage delivered by the fetched payload. Any caller of the advertised API triggers execution of arbitrary attacker-controlled code on the installer's host, and the payload can be changed server-side at any time.

Source: amazon-inspector (52d4b717c5de5139b732e16ea9eca2654947ecf17e919334a6dd039c5b60e059)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.