VYPR

npm · Malicious package advisory

Malware

svgson-lite

MAL-2026-6707

Malicious code in svgson-lite (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ceb1026a96918a3f4ed4c7c4f0aa75411c3869f1ad14405174e396b4e67907d2)
index.js exports an undocumented getPlugin() function which, when invoked, performs an HTTP GET to https://shorturl.at/147uq, JSON-parses the response body, and passes the response's `model` field directly to eval(). The URL is a mutable shortener redirect controlled by the package author and can be repointed to any JavaScript payload at any time, giving the author arbitrary code execution in the process of any consumer that calls getPlugin()(). The package's stated purpose is an SVG helper: package.json describes it as 'Tiny zero-dependency SVG helper for Node.js' and declares no dependencies, yet index.js requires the 'request' library and implements the fetch+eval path. The network+eval behavior is unrelated to SVG processing and is not mentioned in the README, keywords, or exports documentation. The mismatch between advertised purpose and shipped behavior, combined with the shortener-cloaked destination, is deliberate concealment of a backdoor surface.

Compromised versions (8)

  • 1.0.1
  • 1.0.0
  • 1.0.5
  • 1.0.6
  • 1.0.7
  • 1.0.2
  • 1.0.4
  • 1.0.8

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.