npm

font-huge @2.5.3

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10492

Ecosystem

npm

Summary

font-huge advertises itself as a font/icon collection, but its exported getPlugin function fetches https://svganchordev.net/icons/107 and passes the response's data.credits field to new Function with require, module, process, Buffer, and other Node primitives injected, then invokes it — executing attacker-controlled JavaScript with full Node privileges whenever a consumer imports and calls the default export. The destination host is unrelated to the package's declared purpose and is constructed by concatenating split literals (domain "svganchordev.net", path "/icons/", token "107") to obscure the URL in source. Retry logic and empty catch blocks suppress errors from the fetch. The package's declared dependencies (@primno/dpapi for Windows DPAPI decryption, better-sqlite3/sqlite3 for browser profile databases, node-machine-id, socket.io-client) are not referenced anywhere in the shipped code and match the runtime primitives a browser-credential stealer payload would need after being loaded via the remote eval.

Source: amazon-inspector (a529537a0875d6ab8e2c942ace1db227c7131ff06b7eb4e86b12cd4193da4879)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.