MAL-2026-6708
Malicious code in zyncmap (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (3a65a1106fa2bab6eb0b5982b289665b4b96a6ad86769a867f6e62fb73663f77) zyncmap@0.0.0 advertises itself as an SVG sanitization/minification utility, but index.js exports an undocumented function getPlugin() that, when invoked, performs an HTTP GET against the anonymous paste host https://www.jsonkeeper.com/b/3P9BF and passes the response's `model` string field directly to eval(). Content at that paste URL is attacker-mutable, so any consumer that calls the exported getPlugin() executes arbitrary attacker-controlled JavaScript in the installer's Node.js process. The README and ~80% of index.js implement plausible SVG helpers as cover; the remote-fetch+eval export and a misleading `bearrtoken: "logo"` header are appended separately and not mentioned in package documentation. This is a backdoor: a hidden code path giving the publisher persistent remote code execution against any consumer who reaches the export.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for zyncmap (npm). Pin to a known-safe version or switch to an alternative.