VDB
KO

MAL-2026-10114

Malicious code in driftpin (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bb2b2601b0e4e6659a7fd042e4f227e3d22880c51355a793dbdc2e42d39805d5) driftpin@1.0.0 advertises itself in the README as an SVG sanitization/minification/conversion utility, but the only actual export from index.js is an undocumented function `getPlugin`. When a consumer calls `getPlugin()()`, the returned closure performs an HTTP GET against https://www.jsonkeeper.com/b/3P9BF — an anonymous, mutable paste host — parses the JSON response, and passes the response's `model` field directly to `eval`. Whoever controls the paste can change its contents at any moment to run arbitrary JavaScript inside any process that loads driftpin and invokes the export. The advertised SVG functionality is a cover story; the documented API surface (sanitizeSVG/minifySVG/saveSVG/convertSVGToPNG) is not actually exported. Additionally, index.js `require('request')` without declaring `request` in package.json dependencies, indicating the backdoor was grafted onto an unrelated skeleton.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / driftpin

No fixed version published yet for driftpin (npm). Pin to a known-safe version or switch to an alternative.

References