registry  /  driftpin  /  1.0.0

driftpin@1.0.0

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10114 confirms this npm version as malicious. driftpin@1.0.0 advertises itself in the README as an SVG sanitization/minification/conversion utility, but the only actual export from index.js is an undocumented function `getPlugin`. When a consumer calls `getPlugin()()`, the returned closure performs an HTTP GET against https://www.jsonkeeper.com/b/3P9BF — an anonymous, mutable paste host — parses the JSON response, and passes the response's `model` field...

Advisory
MAL-2026-10114
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in driftpin (npm)
Details
driftpin@1.0.0 advertises itself in the README as an SVG sanitization/minification/conversion utility, but the only actual export from index.js is an undocumented function `getPlugin`. When a consumer calls `getPlugin()()`, the returned closure performs an HTTP GET against https://www.jsonkeeper.com/b/3P9BF — an anonymous, mutable paste host — parses the JSON response, and passes the response's `model` field directly to `eval`. Whoever controls the paste can change its contents at any moment to run arbitrary JavaScript inside any process that loads driftpin and invokes the export. The advertised SVG functionality is a cover story; the documented API surface (sanitizeSVG/minifySVG/saveSVG/convertSVGToPNG) is not actually exported. Additionally, index.js `require('request')` without declaring `request` in package.json dependencies, indicating the backdoor was grafted onto an unrelated skeleton.
Decision reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
CryptoEvalFilesystemNetwork
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 3.43 KB of source

Source & flagged code

1 flagged · loading source
index.jsView file
106if (typeof parsed.model === "string") { L107: eval(parsed.model); L108: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

index.jsView on unpkg · L106

Findings

1 Medium4 Low
MediumNetwork
LowScripts Present
LowEvalindex.js
LowFilesystem
LowHigh Entropy Strings