npm

driftpin @1.0.0

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 11:31 AM UTC

Malicious

OSV ID

MAL-2026-10114

Ecosystem

npm

Summary

driftpin@1.0.0 advertises itself in the README as an SVG sanitization/minification/conversion utility, but the only actual export from index.js is an undocumented function getPlugin . When a consumer calls getPlugin()() , the returned closure performs an HTTP GET against https://www.jsonkeeper.com/b/3P9BF — an anonymous, mutable paste host — parses the JSON response, and passes the response's model field directly to eval . Whoever controls the paste can change its contents at any moment to run arbitrary JavaScript inside any process that loads driftpin and invokes the export. The advertised SVG functionality is a cover story; the documented API surface (sanitizeSVG/minifySVG/saveSVG/convertSVGToPNG) is not actually exported. Additionally, index.js require('request') without declaring request in package.json dependencies, indicating the backdoor was grafted onto an unrelated skeleton.

Source: amazon-inspector (bb2b2601b0e4e6659a7fd042e4f227e3d22880c51355a793dbdc2e42d39805d5)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.