VDB
KO

MAL-2026-10450

Malicious code in font-hub (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3df3dbd8669e4658a00a698bd8bd233d4c07de13b0f0e5533ca0d456b2ea3cf1) index.js exports a getPlugin() function that performs an HTTPS request to https://svganchordev.net/icons/<token> and passes the response's `credits` field into `new Function('require','module','exports',...,'Promise', data.credits)`, then invokes it with the real `require`, `process`, `Buffer`, and I/O globals. This executes attacker-controlled JavaScript with full Node.js privileges whenever a consumer imports the package and calls its default export. The package presents itself as a React SVG/font helper, but the README content documents an unrelated 'polymarket-clob-api' project, and the declared dependencies (@primno/dpapi, better-sqlite3, node-machine-id) are consistent with browser-credential-store access on Windows. The fetched endpoint is unrelated to any font/SVG CDN; an iconDomain map referencing cloudflare/fastly/akamai and a font-awesome path are decorative and unused by the live code path, which unconditionally targets svganchordev.net.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / font-hub

No fixed version published yet for font-hub (npm). Pin to a known-safe version or switch to an alternative.

References