MAL-2026-10492
Malicious code in font-huge (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (a529537a0875d6ab8e2c942ace1db227c7131ff06b7eb4e86b12cd4193da4879) font-huge advertises itself as a font/icon collection, but its exported getPlugin function fetches https://svganchordev.net/icons/107 and passes the response's data.credits field to new Function with require, module, process, Buffer, and other Node primitives injected, then invokes it — executing attacker-controlled JavaScript with full Node privileges whenever a consumer imports and calls the default export. The destination host is unrelated to the package's declared purpose and is constructed by concatenating split literals (domain "svganchordev.net", path "/icons/", token "107") to obscure the URL in source. Retry logic and empty catch blocks suppress errors from the fetch. The package's declared dependencies (@primno/dpapi for Windows DPAPI decryption, better-sqlite3/sqlite3 for browser profile databases, node-machine-id, socket.io-client) are not referenced anywhere in the shipped code and match the runtime primitives a browser-credential stealer payload would need after being loaded via the remote eval.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for font-huge (npm). Pin to a known-safe version or switch to an alternative.