MAL-2026-6707
Malicious code in svgson-lite (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (ceb1026a96918a3f4ed4c7c4f0aa75411c3869f1ad14405174e396b4e67907d2) index.js exports an undocumented getPlugin() function which, when invoked, performs an HTTP GET to https://shorturl.at/147uq, JSON-parses the response body, and passes the response's `model` field directly to eval(). The URL is a mutable shortener redirect controlled by the package author and can be repointed to any JavaScript payload at any time, giving the author arbitrary code execution in the process of any consumer that calls getPlugin()(). The package's stated purpose is an SVG helper: package.json describes it as 'Tiny zero-dependency SVG helper for Node.js' and declares no dependencies, yet index.js requires the 'request' library and implements the fetch+eval path. The network+eval behavior is unrelated to SVG processing and is not mentioned in the README, keywords, or exports documentation. The mismatch between advertised purpose and shipped behavior, combined with the shortener-cloaked destination, is deliberate concealment of a backdoor surface.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for svgson-lite (npm). Pin to a known-safe version or switch to an alternative.
참고
- https://www.npmjs.com/package/svgson-lite/v/1.0.1 [PACKAGE]
- https://www.npmjs.com/package/svgson-lite/v/1.0.0 [PACKAGE]
- https://www.npmjs.com/package/svgson-lite/v/1.0.5 [PACKAGE]
- https://www.npmjs.com/package/svgson-lite/v/1.0.6 [PACKAGE]
- https://www.npmjs.com/package/svgson-lite/v/1.0.7 [PACKAGE]
- https://www.npmjs.com/package/svgson-lite/v/1.0.2 [PACKAGE]
- https://www.npmjs.com/package/svgson-lite/v/1.0.4 [PACKAGE]