VDB
KO

MAL-2026-6715

Malicious code in svgcraft-core (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3d44028203c0771b7e6d77ac8addb4d100be6e75992c7ef0bd066035aba86d31) The CommonJS entry point exports an undocumented `getPlugin()` factory that fetches a URL-shortener target (https://shorturl.at/nkw3a) and passes a JSON field from the response to `eval`, executing attacker-controlled JavaScript inside the caller's Node.js process. The shortener destination is mutable, so the operator can swap the executed payload at any time without republishing the package. Additional concealment signals: the function uses cover-story field names (`bearrtoken: 'logo'`, `parsed.cookie` guarding `eval(parsed.model)`); the backdoor exists only in the CommonJS build (the ESM entry omits it); the file `require`s an undeclared `request` dependency; and the README advertises 'zero dependencies' and does not mention this behavior. Any consumer invoking `getPlugin()()` via the CJS build will execute remote code chosen by whoever controls the shortener.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / svgcraft-core

No fixed version published yet for svgcraft-core (npm). Pin to a known-safe version or switch to an alternative.

References