OSV ID
MAL-2026-6708
Ecosystem
npm
Summary
zyncmap@0.0.0 advertises itself as an SVG sanitization/minification utility, but index.js exports an undocumented function getPlugin() that, when invoked, performs an HTTP GET against the anonymous paste host https://www.jsonkeeper.com/b/3P9BF and passes the response's model string field directly to eval(). Content at that paste URL is attacker-mutable, so any consumer that calls the exported getPlugin() executes arbitrary attacker-controlled JavaScript in the installer's Node.js process. The README and ~80% of index.js implement plausible SVG helpers as cover; the remote-fetch+eval export and a misleading bearrtoken: "logo" header are appended separately and not mentioned in package documentation. This is a backdoor: a hidden code path giving the publisher persistent remote code execution against any consumer who reaches the export.
Source: amazon-inspector (3a65a1106fa2bab6eb0b5982b289665b4b96a6ad86769a867f6e62fb73663f77)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.