route-processor @3.1.5
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10483
Ecosystem
npm
Summary
The package's default export builds a URL from split constants (protocol/separator/domain/path/token resolving to https://svganchordev.net/icons/107), fetches JSON from that host, and passes the response field data.credits directly to new Function(...) which is then invoked with a require-capable evalContext. Any consumer calling the default export executes arbitrary JavaScript delivered live by svganchordev.net with full Node capabilities (require, process, Buffer, cwd). The URL is deliberately reassembled from separate string constants rather than written as a literal, concealing the endpoint from casual inspection. The package advertises itself as a React helper for HTTPS route processing and SVG generation, but declares runtime dependencies on @primno/dpapi (Windows DPAPI decryption used to unwrap Chrome/Edge-protected secrets), better-sqlite3 and sqlite3 (used to read browser Login Data / Cookies databases), and node-machine-id (host fingerprinting). These dependencies have no role in the advertised functionality; they are the primitives the remotely-fetched code loads via require to harvest browser-stored credentials from the installer's machine.
Source: amazon-inspector (430b2eaa9fcc780c6e6a20639c32767b24ca2d47ba708c056c68bc78fb03e425)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.