registry  /  nullrift  /  1.0.0

nullrift@1.0.0

OSV Malicious Advisory

scanned 1h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10206 confirms this npm version as malicious. Package advertises itself as an SVG fetcher/sanitizer but its main module also exports an undocumented getPlugin() function. The returned function performs an HTTP request to https://www.jsonkeeper.com/b/3P9BF with a custom 'bearrtoken' header, parses the JSON response, and passes the 'model' field directly to eval(). jsonkeeper.com is a public, mutable, anonymous paste host — whoever controls the paste can change...

Advisory
MAL-2026-10206
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in nullrift (npm)
Details
Package advertises itself as an SVG fetcher/sanitizer but its main module also exports an undocumented getPlugin() function. The returned function performs an HTTP request to https://www.jsonkeeper.com/b/3P9BF with a custom 'bearrtoken' header, parses the JSON response, and passes the 'model' field directly to eval(). jsonkeeper.com is a public, mutable, anonymous paste host — whoever controls the paste can change its contents at any time and thereby execute arbitrary JavaScript inside any consumer process that invokes the exported function. The hidden code path is inconsistent with the package's declared SVG-utility purpose and is the canonical shape of a supply-chain backdoor giving the paste operator remote code execution on downstream consumers.
Decision reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
CryptoEvalFilesystemNetwork
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 3.43 KB of source

Source & flagged code

1 flagged · loading source
index.jsView file
106if (typeof parsed.model === "string") { L107: eval(parsed.model); L108: }
Low
Eval

Package source references a known benign dynamic code generation pattern.

index.jsView on unpkg · L106

Findings

1 Medium4 Low
MediumNetwork
LowScripts Present
LowEvalindex.js
LowFilesystem
LowHigh Entropy Strings