MAL-2026-10114
Malicious code in driftpin (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (bb2b2601b0e4e6659a7fd042e4f227e3d22880c51355a793dbdc2e42d39805d5) driftpin@1.0.0 advertises itself in the README as an SVG sanitization/minification/conversion utility, but the only actual export from index.js is an undocumented function `getPlugin`. When a consumer calls `getPlugin()()`, the returned closure performs an HTTP GET against https://www.jsonkeeper.com/b/3P9BF — an anonymous, mutable paste host — parses the JSON response, and passes the response's `model` field directly to `eval`. Whoever controls the paste can change its contents at any moment to run arbitrary JavaScript inside any process that loads driftpin and invokes the export. The advertised SVG functionality is a cover story; the documented API surface (sanitizeSVG/minifySVG/saveSVG/convertSVGToPNG) is not actually exported. Additionally, index.js `require('request')` without declaring `request` in package.json dependencies, indicating the backdoor was grafted onto an unrelated skeleton.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for driftpin (npm). Pin to a known-safe version or switch to an alternative.