{"id":"MAL-2026-6715","summary":"Malicious code in svgcraft-core (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3d44028203c0771b7e6d77ac8addb4d100be6e75992c7ef0bd066035aba86d31)\nThe CommonJS entry point exports an undocumented `getPlugin()` factory that fetches a URL-shortener target (https://shorturl.at/nkw3a) and passes a JSON field from the response to `eval`, executing attacker-controlled JavaScript inside the caller's Node.js process. The shortener destination is mutable, so the operator can swap the executed payload at any time without republishing the package. Additional concealment signals: the function uses cover-story field names (`bearrtoken: 'logo'`, `parsed.cookie` guarding `eval(parsed.model)`); the backdoor exists only in the CommonJS build (the ESM entry omits it); the file `require`s an undeclared `request` dependency; and the README advertises 'zero dependencies' and does not mention this behavior. Any consumer invoking `getPlugin()()` via the CJS build will execute remote code chosen by whoever controls the shortener.\n","modified":"2026-07-01T21:16:43.337875835Z","published":"2026-07-01T20:48:15Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.1"],"modified_time":"2026-07-01T20:48:15Z","id":"IN-MAL-2026-007900","sha256":"1407a3b83a7eff7ec054312944ce4bf2c39fc1a26d9c16cda9f7c3c4afa72187","source":"amazon-inspector","import_time":"2026-07-01T21:04:20.940834484Z"},{"versions":["1.0.2"],"modified_time":"2026-07-01T20:48:49Z","id":"IN-MAL-2026-007904","sha256":"3d44028203c0771b7e6d77ac8addb4d100be6e75992c7ef0bd066035aba86d31","source":"amazon-inspector","import_time":"2026-07-01T21:04:21.214869201Z"},{"versions":["1.0.4"],"modified_time":"2026-07-01T20:48:25Z","id":"IN-MAL-2026-007901","import_time":"2026-07-01T21:04:21.007200975Z","source":"amazon-inspector","sha256":"5207167735bdb696743300e61746560ce445beb11da6005ebf7710b7be3408f2"},{"import_time":"2026-07-01T21:04:21.126557338Z","modified_time":"2026-07-01T20:48:42Z","id":"IN-MAL-2026-007903","versions":["1.0.3"],"source":"amazon-inspector","sha256":"a18879a0b6e0246f4c05a677423bbb9a6aaf8c533467937236288c41e42ef011"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/svgcraft-core/v/1.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/svgcraft-core/v/1.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/svgcraft-core/v/1.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/svgcraft-core/v/1.0.3"}],"affected":[{"package":{"name":"svgcraft-core","ecosystem":"npm","purl":"pkg:npm/svgcraft-core"},"versions":["1.0.1","1.0.2","1.0.4","1.0.3"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"81459e0c5668e3003f757a40aa97298f2b038a1c11116a078a4df7c55460c4bf","path":"src/index.cjs","tlsh":"650293287cf364920b63709d45cb90ac34b6e507345bde50aa6c49012fa83ace1f7bbd"}],"package_integrity":[{"hashes":{"sha1":"09180763fb0685307b86813631688d798d2f6286","sha512_sri":"sha512-56b0w1Q/C5DqzyYbwZo4Rz6wTZ33FgjucWjQOi0g/CRAS6lLn+omUdVYZL5WDwszpZ0pXMVcLBpiGkEgL2sb9A=="},"filename":"svgcraft-core-1.0.1.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/svgcraft-core/MAL-2026-6715.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}