npm · Malicious package advisory
Malwarezyncmap
MAL-2026-6708
Malicious code in zyncmap (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (3a65a1106fa2bab6eb0b5982b289665b4b96a6ad86769a867f6e62fb73663f77) zyncmap@0.0.0 advertises itself as an SVG sanitization/minification utility, but index.js exports an undocumented function getPlugin() that, when invoked, performs an HTTP GET against the anonymous paste host https://www.jsonkeeper.com/b/3P9BF and passes the response's `model` string field directly to eval(). Content at that paste URL is attacker-mutable, so any consumer that calls the exported getPlugin() executes arbitrary attacker-controlled JavaScript in the installer's Node.js process. The README and ~80% of index.js implement plausible SVG helpers as cover; the remote-fetch+eval export and a misleading `bearrtoken: "logo"` header are appended separately and not mentioned in package documentation. This is a backdoor: a hidden code path giving the publisher persistent remote code execution against any consumer who reaches the export.
Compromised versions (2)
- 0.0.1
- 0.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.