npm

svgson-lite @1.0.7

Vulnerability report · Last retrieved from osv.dev July 1, 2026 at 10:05 PM UTC

Malicious

OSV ID

MAL-2026-6707

Ecosystem

npm

Summary

index.js exports an undocumented getPlugin() function which, when invoked, performs an HTTP GET to https://shorturl.at/147uq, JSON-parses the response body, and passes the response's model field directly to eval(). The URL is a mutable shortener redirect controlled by the package author and can be repointed to any JavaScript payload at any time, giving the author arbitrary code execution in the process of any consumer that calls getPlugin()(). The package's stated purpose is an SVG helper: package.json describes it as 'Tiny zero-dependency SVG helper for Node.js' and declares no dependencies, yet index.js requires the 'request' library and implements the fetch+eval path. The network+eval behavior is unrelated to SVG processing and is not mentioned in the README, keywords, or exports documentation. The mismatch between advertised purpose and shipped behavior, combined with the shortener-cloaked destination, is deliberate concealment of a backdoor surface.

Source: amazon-inspector (ceb1026a96918a3f4ed4c7c4f0aa75411c3869f1ad14405174e396b4e67907d2)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.