MAL-2026-6708
Malicious code in zyncmap (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (3a65a1106fa2bab6eb0b5982b289665b4b96a6ad86769a867f6e62fb73663f77) zyncmap@0.0.0 advertises itself as an SVG sanitization/minification utility, but index.js exports an undocumented function getPlugin() that, when invoked, performs an HTTP GET against the anonymous paste host https://www.jsonkeeper.com/b/3P9BF and passes the response's `model` string field directly to eval(). Content at that paste URL is attacker-mutable, so any consumer that calls the exported getPlugin() executes arbitrary attacker-controlled JavaScript in the installer's Node.js process. The README and ~80% of index.js implement plausible SVG helpers as cover; the remote-fetch+eval export and a misleading `bearrtoken: "logo"` header are appended separately and not mentioned in package documentation. This is a backdoor: a hidden code path giving the publisher persistent remote code execution against any consumer who reaches the export.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for zyncmap (npm). Pin to a known-safe version or switch to an alternative.