VYPR

npm · Malicious package advisory

Malware

driftpin

MAL-2026-10114

Malicious code in driftpin (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bb2b2601b0e4e6659a7fd042e4f227e3d22880c51355a793dbdc2e42d39805d5)
driftpin@1.0.0 advertises itself in the README as an SVG sanitization/minification/conversion utility, but the only actual export from index.js is an undocumented function `getPlugin`. When a consumer calls `getPlugin()()`, the returned closure performs an HTTP GET against https://www.jsonkeeper.com/b/3P9BF — an anonymous, mutable paste host — parses the JSON response, and passes the response's `model` field directly to `eval`. Whoever controls the paste can change its contents at any moment to run arbitrary JavaScript inside any process that loads driftpin and invokes the export. The advertised SVG functionality is a cover story; the documented API surface (sanitizeSVG/minifySVG/saveSVG/convertSVGToPNG) is not actually exported. Additionally, index.js `require('request')` without declaring `request` in package.json dependencies, indicating the backdoor was grafted onto an unrelated skeleton.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.