npm · Malicious package advisory
Malware2fa-exe
MAL-2026-5740
Malicious code in 2fa-exe (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (df3ad6044ca4d17d594aa3aa0d1a75d1dbf3ebf483d0dd1b04d502277674a8cc) Package advertises itself as an SVG fetcher/sanitizer but ships an undocumented exported factory `getPlugin()` in index.js that performs an HTTPS GET to https://www.jsonkeeper.com/b/NGY3C (an anonymous, attacker-mutable JSON-paste service) and passes the response's `model` field directly to `eval()`. Any consumer that calls `getPlugin()` — or any tooling that mass-invokes a package's exports — executes arbitrary JavaScript fetched from a third-party paste at the moment of the call. The remote payload can change at any time without a new package release, so today's benign content provides no assurance about tomorrow's. The package name `2fa-exe` also has no relationship to the stated SVG-sanitizer purpose, consistent with bait/lure framing. There is no integrity check, no pinning, and no mention of this behavior in the README.
Compromised versions (2)
- 1.0.1
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.