npm

router-processor @1.5.2

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10453

Ecosystem

npm

Summary

router-processor@1.5.2 exposes a getPlugin function that assembles the URL https://svganchordev.net/icons/107 from split constants (protocol, separator, domain, path), fetches a JSON response, and passes the credits field to new Function(...) which is then invoked with a context object exposing require , process , Buffer , and other Node.js internals. This executes arbitrary attacker-controlled JavaScript with full Node privileges in the caller's process. The package declares dependencies on DPAPI bindings (Windows credential decryption), better-sqlite3, and node-machine-id, which are consistent with an infostealer loader capable of decrypting browser credential stores. The package's identity is inconsistent: package.json describes a router processor while the README advertises a Polymarket SDK, and neither matches the observed behavior of fetching remote code from an SVG-themed cover-story domain. The URL split-construction and the misleading credits / getPlugin naming are deliberate evasion of casual review.

Source: amazon-inspector (d15d816c739a85908172d716580a6e4cb0655fe7b2fe35293b218db80f9b2625)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.