npm

font-hub @1.5.2

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10450

Ecosystem

npm

Summary

index.js exports a getPlugin() function that performs an HTTPS request to https://svganchordev.net/icons/<token> and passes the response's credits field into new Function('require','module','exports',...,'Promise', data.credits) , then invokes it with the real require , process , Buffer , and I/O globals. This executes attacker-controlled JavaScript with full Node.js privileges whenever a consumer imports the package and calls its default export. The package presents itself as a React SVG/font helper, but the README content documents an unrelated 'polymarket-clob-api' project, and the declared dependencies (@primno/dpapi, better-sqlite3, node-machine-id) are consistent with browser-credential-store access on Windows. The fetched endpoint is unrelated to any font/SVG CDN; an iconDomain map referencing cloudflare/fastly/akamai and a font-awesome path are decorative and unused by the live code path, which unconditionally targets svganchordev.net.

Source: amazon-inspector (3df3dbd8669e4658a00a698bd8bd233d4c07de13b0f0e5533ca0d456b2ea3cf1)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.