OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10114 confirms this npm version as malicious. driftpin@1.0.0 advertises itself in the README as an SVG sanitization/minification/conversion utility, but the only actual export from index.js is an undocumented function `getPlugin`. When a consumer calls `getPlugin()()`, the returned closure performs an HTTP GET against https://www.jsonkeeper.com/b/3P9BF — an anonymous, mutable paste host — parses the JSON response, and passes the response's `model` field...
Advisory
MAL-2026-10114
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in driftpin (npm)
Details
driftpin@1.0.0 advertises itself in the README as an SVG sanitization/minification/conversion utility, but the only actual export from index.js is an undocumented function `getPlugin`. When a consumer calls `getPlugin()()`, the returned closure performs an HTTP GET against https://www.jsonkeeper.com/b/3P9BF — an anonymous, mutable paste host — parses the JSON response, and passes the response's `model` field directly to `eval`. Whoever controls the paste can change its contents at any moment to run arbitrary JavaScript inside any process that loads driftpin and invokes the export. The advertised SVG functionality is a cover story; the documented API surface (sanitizeSVG/minifySVG/saveSVG/convertSVGToPNG) is not actually exported. Additionally, index.js `require('request')` without declaring `request` in package.json dependencies, indicating the backdoor was grafted onto an unrelated skeleton.
Decision reason
No blocking static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
CryptoEvalFilesystemNetwork
HighEntropyStrings
Source & flagged code
1 flagged · loading sourceindex.jsView file
106if (typeof parsed.model === "string") {
L107: eval(parsed.model);
L108: }
Low
Eval
Package source references a known benign dynamic code generation pattern.
index.jsView on unpkg · L106Findings
1 Medium4 Low
MediumNetwork
LowScripts Present
LowEvalindex.js
LowFilesystem
LowHigh Entropy Strings