svgcraft-core @1.0.6
Vulnerability report · Last retrieved from osv.dev July 12, 2026 at 1:36 AM UTC
OSV ID
MAL-2026-6715
Ecosystem
npm
Summary
src/index.cjs exports getPlugin(), which returns a function that performs an HTTPS GET to a hardcoded URL 'https://api.avax-test.dev/ext/bc/C/rpc' with TLS verification disabled (rejectUnauthorized: false) and passes the response body to new Function('require', data)(require). Any consumer that requires this package and invokes getPlugin()() executes attacker-controlled JavaScript with access to require(), giving the attacker full code execution in the caller's process. The destination host 'api.avax-test.dev' typosquats Avalanche Fuji's official RPC endpoint 'api.avax-test.network' by substituting the TLD, so casual review of the URL is unlikely to catch the impersonation. The paired ESM entry src/index.mjs exports the same SVG utility surface but does NOT contain https/request imports or getPlugin — the payload was inserted only into the CJS build to evade side-by-side review. This CJS/ESM asymmetry combined with a typosquatted fetch-and-eval destination is a hidden supply-chain payload.
Source: amazon-inspector (3863ea8f67c7365031b5ffb43aaa2721062669b49be8157e1dd32ce19dce511f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.