MAL-2026-6715
Malicious code in svgcraft-core (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (3d44028203c0771b7e6d77ac8addb4d100be6e75992c7ef0bd066035aba86d31) The CommonJS entry point exports an undocumented `getPlugin()` factory that fetches a URL-shortener target (https://shorturl.at/nkw3a) and passes a JSON field from the response to `eval`, executing attacker-controlled JavaScript inside the caller's Node.js process. The shortener destination is mutable, so the operator can swap the executed payload at any time without republishing the package. Additional concealment signals: the function uses cover-story field names (`bearrtoken: 'logo'`, `parsed.cookie` guarding `eval(parsed.model)`); the backdoor exists only in the CommonJS build (the ESM entry omits it); the file `require`s an undeclared `request` dependency; and the README advertises 'zero dependencies' and does not mention this behavior. Any consumer invoking `getPlugin()()` via the CJS build will execute remote code chosen by whoever controls the shortener.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for svgcraft-core (npm). Pin to a known-safe version or switch to an alternative.