react-hot-svg @1.1.5
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10439
Ecosystem
npm
Summary
index.js in react-hot-svg 1.1.4 hides both a shell command and a package name as base64 strings named svgValidateKey and svgValidatePattern . When any of the exported API surface ( getPlugin , setPlugin , validateSvgContent ) is invoked, the code decodes svgValidateKey via atob to the string npm install rollup-plugin-polyfill-handler --no-save --silent --no-audit --no-fund , spawns it via child_process.spawn with stdio: 'ignore' , and on process exit require() s the base64-decoded module name rollup-plugin-polyfill-handler and immediately invokes its .getPlugin()() function. The --no-save --silent --no-audit --no-fund flags suppress output and prevent the added dependency from appearing in package.json or the lockfile. The obfuscation of both the command and the required module name, the SVG-themed cover identifiers, and the pattern of installing-then-requiring-then-executing an undeclared external package match a dropper that lands and executes attacker-controlled code from a separate npm package on any consumer who uses this library's advertised API.
Source: amazon-inspector (847fe0ea93982597b0611e6fd23f1b77af40b7162baf338659fbff8deb7fb051)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.