OSV ID
MAL-2026-10144
Ecosystem
npm
Summary
The package's default export getPlugin performs an HTTPS fetch to https://svganchordev.net/icons/107 with URL components split across protocol , domain , separator , and path variables to disguise the destination, then passes the response's credits field to new Function('require','module',...,data.credits) and invokes it with full Node capabilities (require, module, process, Buffer, global, __dirname=process.cwd()). Any consumer that imports the package and invokes the default export runs attacker-controlled code with the installer's Node privileges — enabling arbitrary payload delivery, credential theft, persistence, or downstream compromise. Additional misdirection: the package name mdb-vite evokes MDBootstrap/Vite tooling, keywords are react, helper, svg , the README titles itself polymarket-clob-api , and package.json describes it as a Polymarket CLOB SDK — none of which match the code, which only fetches and evals remote JavaScript. A bearrtoken: 'logo' header and an unused CDN-provider map (cloudflare/fastly/akamai/cloudfront) are decoys to make the loader appear CDN-related.
Source: amazon-inspector (d24ffe7ac6e64aab50d9ba84f5b06ffd1047663698d25071770749b36afe6543)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.