VYPR

npm · Malicious package advisory

Malware

svgcraft-core

MAL-2026-6715

Malicious code in svgcraft-core (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3863ea8f67c7365031b5ffb43aaa2721062669b49be8157e1dd32ce19dce511f)
src/index.cjs exports getPlugin(), which returns a function that performs an HTTPS GET to a hardcoded URL 'https://api.avax-test.dev/ext/bc/C/rpc' with TLS verification disabled (rejectUnauthorized: false) and passes the response body to new Function('require', data)(require). Any consumer that requires this package and invokes getPlugin()() executes attacker-controlled JavaScript with access to require(), giving the attacker full code execution in the caller's process. The destination host 'api.avax-test.dev' typosquats Avalanche Fuji's official RPC endpoint 'api.avax-test.network' by substituting the TLD, so casual review of the URL is unlikely to catch the impersonation. The paired ESM entry src/index.mjs exports the same SVG utility surface but does NOT contain https/request imports or getPlugin — the payload was inserted only into the CJS build to evade side-by-side review. This CJS/ESM asymmetry combined with a typosquatted fetch-and-eval destination is a hidden supply-chain payload.

Compromised versions (6)

  • 1.0.1
  • 1.0.2
  • 1.0.4
  • 1.0.3
  • 1.0.6
  • 1.0.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.