fastify-bundler @1.4.13
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10520
Ecosystem
npm
Summary
The package's exported getPlugin function fetches JSON from https://svganchordev.net/icons/105 and passes the response's data.credits field to new Function() with require, module, process, Buffer, and other Node globals bound, then invokes it. Any consumer that imports fastify-bundler and calls the advertised API executes attacker-supplied JavaScript with full Node privileges; the remote operator can change the payload at any time. The package's declared dependencies (@primno/dpapi for Windows DPAPI credential decryption, better-sqlite3/sqlite3 for Chromium Login Data and Cookies stores, node-machine-id for host fingerprinting, socket.io-client, axios, request) are injected into the require() available to the remote payload, providing a ready-made toolkit for browser-credential theft and C2. The package identity is also deceptive: it is published as 'fastify-bundler' with a description claiming to be a 'high-performance web framework for Node.js', while the shipped README is titled 'Tailwindcss Forms Bundler' and instructs users to npm install tailwindcss-forms-bundle' — a name/README mismatch targeting three unrelated popular ecosystems to attract installs.
Source: amazon-inspector (b3d824f75a77642b33c2c29524f9decca40c16a12aabe0a2528f3d90deac8720)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.