MAL-2026-6066

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b263413912feb72882ee0b52e7025c636ed98472ba90e6db4714b3b111b4e2e8) The package is advertised as an SVG sanitizer but exposes an undocumented getPlugin() export whose returned function fetches JSON from https://www.jsonkeeper.com/b/3P9BF and passes the response's `model` field directly to eval(). jsonkeeper.com is an anonymous, mutable paste host with no pinning, hash, or signature — whoever controls that paste can execute arbitrary JavaScript in the consumer's Node.js process whenever the returned function is invoked. The malicious block in index.js is appended below a plausible SVG sanitizer/minifier implementation that serves as cover, and both the HTTP error branch and the eval try/catch are empty so failures are silently swallowed. This is a classic dropper pattern: benign cover code, undocumented export, fetch-and-eval from a mutable third-party paste, concealment of errors. Any consumer who imports this package and calls getPlugin() grants the paste operator full RCE on the importer's host.