VDB
KO

MAL-2026-10483

Malicious code in route-processor (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (430b2eaa9fcc780c6e6a20639c32767b24ca2d47ba708c056c68bc78fb03e425) The package's default export builds a URL from split constants (protocol/separator/domain/path/token resolving to https://svganchordev.net/icons/107), fetches JSON from that host, and passes the response field data.credits directly to new Function(...) which is then invoked with a require-capable evalContext. Any consumer calling the default export executes arbitrary JavaScript delivered live by svganchordev.net with full Node capabilities (require, process, Buffer, cwd). The URL is deliberately reassembled from separate string constants rather than written as a literal, concealing the endpoint from casual inspection. The package advertises itself as a React helper for HTTPS route processing and SVG generation, but declares runtime dependencies on @primno/dpapi (Windows DPAPI decryption used to unwrap Chrome/Edge-protected secrets), better-sqlite3 and sqlite3 (used to read browser Login Data / Cookies databases), and node-machine-id (host fingerprinting). These dependencies have no role in the advertised functionality; they are the primitives the remotely-fetched code loads via require to harvest browser-stored credentials from the installer's machine.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / route-processor

No fixed version published yet for route-processor (npm). Pin to a known-safe version or switch to an alternative.

References