MAL-2026-6137

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-error-lint/MAL-2026-6137.json

JSON Data

https://api.test.osv.dev/v1/vulns/MAL-2026-6137

Published

2026-06-18T16:32:46Z

Modified

2026-06-18T17:16:37.377692965Z

Summary

Malicious code in react-error-lint (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a084c9e71eac856bf1a1fec025773cc561f9f6677c187d60e055b89c73d846b9)

Package name and README impersonate the popular react-error-boundary library (advertising an ErrorBoundary export, citing bvaughn and kentcdodds.com), but index.js exports unrelated helpers setDefaultModule and buildoptimize. The buildoptimize function issues an HTTP request to the hardcoded URL https://vercel-node-rouge-beta.vercel.app/icons/23 and passes the response body to eval(JSON.parse(b)) with no integrity check. Any caller that invokes buildoptimize() runs whatever JavaScript the attacker-controlled Vercel preview endpoint returns at that moment, granting remote code execution on the installer's machine. The advertised ErrorBoundary API does not exist, confirming the package is a lure rather than a misnamed legitimate library.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.1.6"
            ],
            "import_time": "2026-06-18T17:08:48.285695068Z",
            "id": "IN-MAL-2026-007012",
            "modified_time": "2026-06-18T16:32:46Z",
            "source": "amazon-inspector",
            "sha256": "a084c9e71eac856bf1a1fec025773cc561f9f6677c187d60e055b89c73d846b9"
        }
    ]
}

References

https://www.npmjs.com/package/react-error-lint/v/1.1.6

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / react-error-lint

Package

Name: react-error-lint; View open source insights on deps.dev
Purl: pkg:npm/react-error-lint

Affected ranges

Affected versions

1.*

1.1.6

Database specific

indicators

{
    "package_integrity": [
        {
            "filename": "react-error-lint-1.1.6.tgz",
            "hashes": {
                "sha512_sri": "sha512-vB2Ur27skmvJJ+slgW2prO0NNoLiM2M/lvegxci7HrKLZfC1oXNsYis7+MSbB6r1U0lOJwk8eb0Hmoq3gIoYAA==",
                "sha1": "2cdc932e39dff8a2081b6ee1990fb5ffa08c129b"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "a85156a21d8021235573efe46707c524f775e236729182b2b99f85d01fb7694a693ccc",
            "path": "index.js",
            "sha256": "206b5d672da63143ded7ee4f0081782900866accb8c43bd4e07988cd09b85329"
        },
        {
            "tlsh": "88f1a8a7e5c271770c73116691663a09db6f623d063a10a1715f83ab3fa0469cf1fadc",
            "path": "README.md",
            "sha256": "3bf38f34f29547b25227f7d043d64c5ba8721d23875c6874ccc2b89933d12ede"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-error-lint/MAL-2026-6137.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]