registry  /  font-huge  /  2.5.3

font-huge@2.5.3

Font hub for managing and fetching icons.

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10492 confirms this npm version as malicious. font-huge advertises itself as a font/icon collection, but its exported getPlugin function fetches https://svganchordev.net/icons/107 and passes the response's data.credits field to new Function with require, module, process, Buffer, and other Node primitives injected, then invokes it — executing attacker-controlled JavaScript with full Node privileges whenever a consumer imports and calls the default export...

Advisory
MAL-2026-10492
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in font-huge (npm)
Details
font-huge advertises itself as a font/icon collection, but its exported getPlugin function fetches https://svganchordev.net/icons/107 and passes the response's data.credits field to new Function with require, module, process, Buffer, and other Node primitives injected, then invokes it — executing attacker-controlled JavaScript with full Node privileges whenever a consumer imports and calls the default export. The destination host is unrelated to the package's declared purpose and is constructed by concatenating split literals (domain "svganchordev.net", path "/icons/", token "107") to obscure the URL in source. Retry logic and empty catch blocks suppress errors from the fetch. The package's declared dependencies (@primno/dpapi for Windows DPAPI decryption, better-sqlite3/sqlite3 for browser profile databases, node-machine-id, socket.io-client) are not referenced anywhere in the shipped code and match the runtime primitives a browser-credential stealer payload would need after being loaded via the remote eval.
Decision reason
OpenSSF Malicious Packages via OSV confirms font-huge@2.5.3 as malicious (MAL-2026-10492): Malicious code in font-huge (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory