react-ui-mat@5.81.22
A typosquat targeting the popular @mui/material React UI library. Published 160 versions to appear legitimate and established. Ships a 70KB common.js file processed through javascript-obfuscator with characteristic _0x variable naming pattern. The obfuscation makes the actual payload impossible to audit through static analysis. The sustained publishing of 160 versions suggests automated tooling and a determined attacker.
react-ui-mat@5.81.22 is a typosquat of @mui/material (Material UI) that has been actively maintained for 3 years across 160 versions. Every file in dist/ is heavily obfuscated using javascript-obfuscator with _0x hex-encoded variable names. The main payload is dist/common.js (70KB single-line obfuscated), which is imported by all component files. Real React component files (Button, Badges, Input, etc.) serve as cover to make the package look legitimate. The repo URL points to an unrelated jsts repository — another mismatch indicator.
| Field | Value |
|---|---|
| Name | react-ui-mat |
| Version | 5.81.22 |
| Impersonates | @mui/material (Material UI) |
| Maintainer | ademirtemur (ademir91360@gmail.com) |
| Repository | github.com/ademirtemur/jsts (mismatched) |
| Versions | 160 (since 2023-03-28 — 3 years active) |
| License | MIT |
| Published | Active since 2023 |
| Risk Score | 875 (filter: 45, scanner: 830) |
| Dependency | Notes |
|---|---|
| mat-date | Unknown package, likely part of campaign |
| mjstl | Unknown package, likely part of campaign |
| react | Legitimate — used as cover |
| react-dom | Legitimate — used as cover |
| tslib | Legitimate |
Every .js file in dist/ is obfuscated with javascript-obfuscator. Scanner detected 41 findings total — predominantly minified/obfuscated source files. Examples of hex-encoded patterns found:
Circular.js line 1:
'use strict';var a0_0x2b770d=this&&this['__createBinding']||(Object['create']?
function(_0x3f3425,_0x5613a1,_0x2837c9,_0x...
Input.js line 1:
'use strict';var a0_0x5e3f97=this&&this['__createBinding']||(Object['create']?
function(_0x11b558,_0x453c7a,_0x34bb29,_0x...
MKPlayer.js line 1:
'use strict';var a0_0x3acde3=this&&this['__importDefault']||
function(_0x4ec0df){return _0x4ec0df&&_0x4ec0df['__esModule']...
dist/common.js is a single line of 70,378 characters — fully obfuscated. This file is the core payload and is imported by every other component file. For reference, a legitimate React utility file of this complexity would be ~200-500 lines of readable code, not a single 70KB line.
The package includes realistic-looking component file names to mimic Material UI:
Animate.js, Appip.js, Badges.js, Button.js, CardSection.js,
Checkbox.js, Circular.js, Collapse.js, DraggableModal.js,
DraggablePanel.js, FilterPanel.js, Icons.js, Input.js,
InputFields.js, MKPlayer.js, Multiselect.js, MUPlayer.js,
Numeral.js, OvView.js, Paginator.js, PasswordInput.js,
Phone.js, Picker.js, Progress.js, Radio.js, Rate.js,
ReceiptCapture.js, SearchSelect.js, Select.js, SortDirection.js,
Spinner.js, Switch.js, Tooltip.js, utils.js
All are minified single-line files ranging from 1,024 to 47,400 characters per line.
Package name react-ui-mat does not match the claimed repository jsts. The repo github.com/ademirtemur/jsts is unrelated to React UI components.
160 versions published over 3 years (since March 2023) indicates this is actively maintained malware, not a one-off upload. The attacker has been refining and updating the obfuscated payload regularly.
| File | Avg Line Length (chars) |
|---|---|
| common.js | 70,378 |
| utils.js | 47,400 |
| Picker.js | 25,955 |
| SearchSelect.js | 20,836 |
| Select.js | 18,886 |
| MKPlayer.js | 17,783 |
| Multiselect.js | 17,062 |
| MUPlayer.js | 16,503 |
| Phone.js | 15,495 |
| index.js | 15,430 |
| Context.js | 15,026 |
| Technique | ID | Evidence |
|---|---|---|
| Supply Chain Compromise: Compromise Software Supply Chain | T1195.002 | Typosquat of @mui/material published to npm |
| Obfuscated Files or Information | T1027 | All source files use javascript-obfuscator with _0x patterns |
| Masquerading: Match Legitimate Name or Location | T1036.005 | Package name mimics Material UI naming convention |
| Ingress Tool Transfer | T1105 | 70KB obfuscated common.js loaded by all components |
| Command and Scripting Interpreter: JavaScript | T1059.007 | Obfuscated JS executes on import |
| Masquerading: Invalid Code Signature | T1036.001 | Repo URL points to unrelated jsts project |
Malicious — Obfuscated Typosquat (3 Years Active). The package has been actively maintained across 160 versions since March 2023. Every source file is heavily obfuscated, making code review impossible without deobfuscation. The 70KB single-line common.js is the primary payload. The combination of realistic component file names, Material UI naming mimicry, and persistent multi-year publication history makes this a sophisticated, long-running supply chain attack.
npm uninstall react-ui-mat
# Install the real Material UI:
npm install @mui/material