MAL-2026-10453
Malicious code in router-processor (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (d15d816c739a85908172d716580a6e4cb0655fe7b2fe35293b218db80f9b2625) router-processor@1.5.2 exposes a getPlugin function that assembles the URL https://svganchordev.net/icons/107 from split constants (protocol, separator, domain, path), fetches a JSON response, and passes the `credits` field to `new Function(...)` which is then invoked with a context object exposing `require`, `process`, `Buffer`, and other Node.js internals. This executes arbitrary attacker-controlled JavaScript with full Node privileges in the caller's process. The package declares dependencies on DPAPI bindings (Windows credential decryption), better-sqlite3, and node-machine-id, which are consistent with an infostealer loader capable of decrypting browser credential stores. The package's identity is inconsistent: package.json describes a router processor while the README advertises a Polymarket SDK, and neither matches the observed behavior of fetching remote code from an SVG-themed cover-story domain. The URL split-construction and the misleading `credits`/`getPlugin` naming are deliberate evasion of casual review.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for router-processor (npm). Pin to a known-safe version or switch to an alternative.