VDB
KO

MAL-2026-10492

Malicious code in font-huge (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a529537a0875d6ab8e2c942ace1db227c7131ff06b7eb4e86b12cd4193da4879) font-huge advertises itself as a font/icon collection, but its exported getPlugin function fetches https://svganchordev.net/icons/107 and passes the response's data.credits field to new Function with require, module, process, Buffer, and other Node primitives injected, then invokes it — executing attacker-controlled JavaScript with full Node privileges whenever a consumer imports and calls the default export. The destination host is unrelated to the package's declared purpose and is constructed by concatenating split literals (domain "svganchordev.net", path "/icons/", token "107") to obscure the URL in source. Retry logic and empty catch blocks suppress errors from the fetch. The package's declared dependencies (@primno/dpapi for Windows DPAPI decryption, better-sqlite3/sqlite3 for browser profile databases, node-machine-id, socket.io-client) are not referenced anywhere in the shipped code and match the runtime primitives a browser-credential stealer payload would need after being loaded via the remote eval.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / font-huge

No fixed version published yet for font-huge (npm). Pin to a known-safe version or switch to an alternative.

References