npm

svgcraft-core @1.0.4

Vulnerability report · Last retrieved from osv.dev July 2, 2026 at 12:05 AM UTC

Malicious

OSV ID

MAL-2026-6715

Ecosystem

npm

Summary

The CommonJS entry point exports an undocumented getPlugin() factory that fetches a URL-shortener target (https://shorturl.at/nkw3a) and passes a JSON field from the response to eval , executing attacker-controlled JavaScript inside the caller's Node.js process. The shortener destination is mutable, so the operator can swap the executed payload at any time without republishing the package. Additional concealment signals: the function uses cover-story field names ( bearrtoken: 'logo' , parsed.cookie guarding eval(parsed.model) ); the backdoor exists only in the CommonJS build (the ESM entry omits it); the file require s an undeclared request dependency; and the README advertises 'zero dependencies' and does not mention this behavior. Any consumer invoking getPlugin()() via the CJS build will execute remote code chosen by whoever controls the shortener.

Source: amazon-inspector (3d44028203c0771b7e6d77ac8addb4d100be6e75992c7ef0bd066035aba86d31)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.