VYPR

npm · Malicious package advisory

Malware

zyncmap

MAL-2026-6708

Malicious code in zyncmap (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3a65a1106fa2bab6eb0b5982b289665b4b96a6ad86769a867f6e62fb73663f77)
zyncmap@0.0.0 advertises itself as an SVG sanitization/minification utility, but index.js exports an undocumented function getPlugin() that, when invoked, performs an HTTP GET against the anonymous paste host https://www.jsonkeeper.com/b/3P9BF and passes the response's `model` string field directly to eval(). Content at that paste URL is attacker-mutable, so any consumer that calls the exported getPlugin() executes arbitrary attacker-controlled JavaScript in the installer's Node.js process. The README and ~80% of index.js implement plausible SVG helpers as cover; the remote-fetch+eval export and a misleading `bearrtoken: "logo"` header are appended separately and not mentioned in package documentation. This is a backdoor: a hidden code path giving the publisher persistent remote code execution against any consumer who reaches the export.

Compromised versions (2)

  • 0.0.1
  • 0.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.