OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10492 confirms this npm version as malicious. font-huge advertises itself as a font/icon collection, but its exported getPlugin function fetches https://svganchordev.net/icons/107 and passes the response's data.credits field to new Function with require, module, process, Buffer, and other Node primitives injected, then invokes it — executing attacker-controlled JavaScript with full Node privileges whenever a consumer imports and calls the default export...
Advisory
MAL-2026-10492
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in font-huge (npm)
Details
font-huge advertises itself as a font/icon collection, but its exported getPlugin function fetches https://svganchordev.net/icons/107 and passes the response's data.credits field to new Function with require, module, process, Buffer, and other Node primitives injected, then invokes it — executing attacker-controlled JavaScript with full Node privileges whenever a consumer imports and calls the default export. The destination host is unrelated to the package's declared purpose and is constructed by concatenating split literals (domain "svganchordev.net", path "/icons/", token "107") to obscure the URL in source. Retry logic and empty catch blocks suppress errors from the fetch. The package's declared dependencies (@primno/dpapi for Windows DPAPI decryption, better-sqlite3/sqlite3 for browser profile databases, node-machine-id, socket.io-client) are not referenced anywhere in the shipped code and match the runtime primitives a browser-credential stealer payload would need after being loaded via the remote eval.
Decision reason
OpenSSF Malicious Packages via OSV confirms font-huge@2.5.3 as malicious (MAL-2026-10492): Malicious code in font-huge (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory