{"id":"MAL-2026-6068","summary":"Malicious code in swift-parse-stream (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8ab8561c6c561b045d817d4fab3aa0754ce7cd767a3c5ec07b95151dda6b92c8)\nswift-parse-stream advertises itself as an SVG sanitizer/minifier but ships an undocumented `getPlugin` export in index.js that, when invoked, performs an HTTP GET against https://www.jsonkeeper.com/b/3P9BF (an anonymous user-paste host) and runs `eval(parsed.model)` on the returned JSON's `model` field. The destination is attacker-controlled and mutable: whoever controls the paste can change the executed JavaScript at any time without republishing the package. The README does not mention this code path. Any caller — typically a second compromised package chaining into this one — that reaches `getPlugin()` hands arbitrary remote code execution to the paste's owner, running in the consumer application's process with its full privileges and access to its environment, filesystem, and network.\n","modified":"2026-06-18T19:31:45.964700373Z","published":"2026-06-17T16:37:42Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","import_time":"2026-06-17T17:32:18.610311636Z","modified_time":"2026-06-17T16:37:42Z","id":"IN-MAL-2026-006905","versions":["1.0.2"],"sha256":"8ab8561c6c561b045d817d4fab3aa0754ce7cd767a3c5ec07b95151dda6b92c8"},{"source":"amazon-inspector","modified_time":"2026-06-18T19:12:19Z","import_time":"2026-06-18T19:20:03.747682205Z","id":"IN-MAL-2026-007031","versions":["1.0.0"],"sha256":"62d1882f72b9b1292d6ba9c0f7fad9e1df0b3eb60d3a34f4b2f569223a466480"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/swift-parse-stream/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/swift-parse-stream/v/1.0.0"}],"affected":[{"package":{"name":"swift-parse-stream","ecosystem":"npm","purl":"pkg:npm/swift-parse-stream"},"versions":["1.0.2","1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/swift-parse-stream/MAL-2026-6068.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha1":"1e113e8a3840e6da087fe3fc63c8937861da7a67","sha512_sri":"sha512-wG0o/vj/OGeoZ7Kh6jbx+mPRzBj5U11KbfaBpOoVj2yrOi5JLEJqK+WxeRF4JTJQKOQxhFfVG78taOjvMLLh8Q=="},"filename":"swift-parse-stream-1.0.2.tgz"}],"evidence_files":[{"tlsh":"767111a8999b7095d6b1e3e447135015f559d1672208c3d4b6acc6983f7172c90f3eec","path":"index.js","sha256":"3a0e1400a7ac8e8b984beef2f330af7a144b04723016ef07681ac0294a725444"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}