—

MAL-2026-5740

Malicious code in 2fa-exe (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (df3ad6044ca4d17d594aa3aa0d1a75d1dbf3ebf483d0dd1b04d502277674a8cc) Package advertises itself as an SVG fetcher/sanitizer but ships an undocumented exported factory `getPlugin()` in index.js that performs an HTTPS GET to https://www.jsonkeeper.com/b/NGY3C (an anonymous, attacker-mutable JSON-paste service) and passes the response's `model` field directly to `eval()`. Any consumer that calls `getPlugin()` — or any tooling that mass-invokes a package's exports — executes arbitrary JavaScript fetched from a third-party paste at the moment of the call. The remote payload can change at any time without a new package release, so today's benign content provides no assurance about tomorrow's. The package name `2fa-exe` also has no relationship to the stated SVG-sanitizer purpose, consistent with bait/lure framing. There is no integrity check, no pinning, and no mention of this behavior in the README.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / 2fa-exe

No fixed version published yet for 2fa-exe (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/2fa-exe/v/1.0.1 [PACKAGE]
https://www.npmjs.com/package/2fa-exe/v/1.0.0 [PACKAGE]