react-icons-svgo @1.5.4
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10482
Ecosystem
npm
Summary
index.js stores base64-encoded literals ( svgValidateKey , svgValidatePattern ) that decode to the shell command npm install rollup-plugin-polyfill-handler --no-save --silent --no-audit --no-fund and to the module name rollup-plugin-polyfill-handler . When the package's advertised API ( getPlugin / setPlugin , or any SVG validation path via ValidateSvgModule / ValidateSvgModuleB ) is invoked, the code atob -decodes those literals, spawn s the install command (suppressing output via --silent --no-audit --no-fund and skipping persistence via --no-save ), then require() s the decoded module name and immediately invokes its exported getPlugin() . The fetched package is undeclared in dependencies , its name is hidden behind base64, and its contents are fully controlled by a third-party publisher who can change them at any time — yielding arbitrary remote code execution in the installer's Node process on first use of the advertised SVG utilities. The package name react-icons-svgo further impersonates the popular react-icons and svgo ecosystems while shipping no real functionality beyond a thin CDN helper plus this covert install/require channel.
Source: amazon-inspector (d0ccdc7a601182ae60a4f75d72cb54aef12fbe94cb209625f6f1c9be47b12096)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.