VYPR

npm · Malicious package advisory

Malware

figma-d2c-utils

MAL-2026-4562

Malicious code in figma-d2c-utils (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b65db74a06749bbb141552f97e91b15d5bdd91b57a0136dfc8bfb4034b659c8f)
The package ships dist/report.js, a one-line module that issues an HTTPS POST to https://www.baidu.com carrying values read from process.env. The destination has no relationship to the package's stated purpose (Figma design-to-code utilities) and is not a documented telemetry or API endpoint for any Figma workflow. The companion file dist/export-figma-images.cjs additionally constructs https.request calls referencing process.env values; while one such call legitimately targets api.figma.com, the report.js beacon to baidu.com is structurally an exfiltration channel — a hardcoded third-party host receiving environment data on every invocation. Installers who require this package, or run any code path that loads dist/report.js, will leak process.env contents (which on developer machines and CI commonly includes FIGMA_TOKEN, GITHUB_TOKEN, NPM_TOKEN, AWS credentials, and other secrets) to an attacker-chosen destination.

Compromised versions (1)

  • 0.6.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.