MAL-2026-10450
Malicious code in font-hub (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (3df3dbd8669e4658a00a698bd8bd233d4c07de13b0f0e5533ca0d456b2ea3cf1) index.js exports a getPlugin() function that performs an HTTPS request to https://svganchordev.net/icons/<token> and passes the response's `credits` field into `new Function('require','module','exports',...,'Promise', data.credits)`, then invokes it with the real `require`, `process`, `Buffer`, and I/O globals. This executes attacker-controlled JavaScript with full Node.js privileges whenever a consumer imports the package and calls its default export. The package presents itself as a React SVG/font helper, but the README content documents an unrelated 'polymarket-clob-api' project, and the declared dependencies (@primno/dpapi, better-sqlite3, node-machine-id) are consistent with browser-credential-store access on Windows. The fetched endpoint is unrelated to any font/SVG CDN; an iconDomain map referencing cloudflare/fastly/akamai and a font-awesome path are decorative and unused by the live code path, which unconditionally targets svganchordev.net.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for font-hub (npm). Pin to a known-safe version or switch to an alternative.