{"id":"MAL-2026-10114","summary":"Malicious code in driftpin (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (bb2b2601b0e4e6659a7fd042e4f227e3d22880c51355a793dbdc2e42d39805d5)\ndriftpin@1.0.0 advertises itself in the README as an SVG sanitization/minification/conversion utility, but the only actual export from index.js is an undocumented function `getPlugin`. When a consumer calls `getPlugin()()`, the returned closure performs an HTTP GET against https://www.jsonkeeper.com/b/3P9BF — an anonymous, mutable paste host — parses the JSON response, and passes the response's `model` field directly to `eval`. Whoever controls the paste can change its contents at any moment to run arbitrary JavaScript inside any process that loads driftpin and invokes the export. The advertised SVG functionality is a cover story; the documented API surface (sanitizeSVG/minifySVG/saveSVG/convertSVGToPNG) is not actually exported. Additionally, index.js `require('request')` without declaring `request` in package.json dependencies, indicating the backdoor was grafted onto an unrelated skeleton.\n","modified":"2026-07-10T08:01:50.829295643Z","published":"2026-07-10T06:45:55Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-10T07:46:08.010760242Z","versions":["1.0.0"],"id":"IN-MAL-2026-009606","source":"amazon-inspector","sha256":"bb2b2601b0e4e6659a7fd042e4f227e3d22880c51355a793dbdc2e42d39805d5","modified_time":"2026-07-10T06:45:55Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/driftpin/v/1.0.0"}],"affected":[{"package":{"name":"driftpin","ecosystem":"npm","purl":"pkg:npm/driftpin"},"versions":["1.0.0"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"767111a8999b7095d6b1e3e447135015f559d1672208c3d4b6acc6983f7172c90f3eec","path":"index.js","sha256":"3a0e1400a7ac8e8b984beef2f330af7a144b04723016ef07681ac0294a725444"}],"package_integrity":[{"hashes":{"sha1":"d7c870e55eeb8b04adc05c8b201d997755266058","sha512_sri":"sha512-xYcAJvTjWwLjb+4paktRiKT+m+R4PZ6NpWAo0ipyUcrITh8Ww4DObZAaM/TjotnbRbxDdSKdrkbX2gBlEe0akg=="},"filename":"driftpin-1.0.0.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/driftpin/MAL-2026-10114.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}