AI Security Review
scanned 3h ago · by lpm-firewall-aiExplicit plugin calls recursively inspect a supplied directory for SVG files. Each discovered SVG triggers a hidden installation and execution of an unrelated remote npm package.
Static reason
No blocking static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
Caller invokes `getPlugin(path)` or `setPlugin(path)` on a directory containing an `.svg` file.
Impact
Remote package code executes in the invoking user's environment with that process's permissions.
Mechanism
Obfuscated npm install followed by dynamic require and plugin invocation.
Attack narrative
When a consumer calls either exported plugin-scanning API, the package walks the provided directory. For every SVG it silently spawns `npm install rollup-plugin-polyfill-handler --no-save --silent --no-audit --no-fund`, then dynamically requires that newly installed package and calls an exported function. The command and module name are Base64-obfuscated, and child output is discarded. This creates a concealed remote-code-execution chain unrelated to SVG validation.
Rationale
Source inspection confirms a concrete, obfuscated runtime dependency-install and execution chain triggered by normal documented APIs. Lack of an npm lifecycle hook limits the trigger but does not remove the malicious execution behavior.
Evidence
index.jspackage.json<caller-supplied directory>/**/*.svg
Decision evidence
public snapshotAI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
- `index.js` decodes an obfuscated `npm install rollup-plugin-polyfill-handler --no-save --silent` command.
- `getPlugin` and `setPlugin` recursively scan caller-selected paths and trigger that command for each SVG.
- After installation, `index.js` dynamically requires the installed package and invokes its exported plugin function.
- The spawned installer suppresses stdio and hides its window, reducing user visibility.
Evidence against
- `package.json` contains no preinstall, install, or postinstall lifecycle hook.
- No import-time installer execution is present; the chain requires `getPlugin` or `setPlugin`.
- The CDN request path is separate from the package-install execution chain.
Behavioral surface
ChildProcessDynamicRequireFilesystemNetwork
HighEntropyStrings
Source & flagged code
2 flagged · loading sourceindex.jsView file
•matchType = malicious_source_fingerprint_signature
signature = 289d11d48b3841df
signatureType = suspicious_hashes
sourceLabel = Datadog
matchedPackage = react-icon-svgs@2.15.3
matchedPath = index.js
matchedIdentity = npm:cmVhY3QtaWNvbi1zdmdz:2.15.3
similarity = 1.000
shingleOverlap = 1
summary = Datadog malicious npm corpus sample: samples/npm/malicious_intent/react-icon-svgs/2.15.3/2026-05-08-react-icon-svgs-v2.15.3.zip
High
Known Malware Source Fingerprint Signature
Source fingerprint signature matches a known malicious package signature; route for source-aware review.
index.jsView on unpkg17// Node built-ins for filesystem access and path manipulation.
L18: const fs = require('fs');
L19: const path = require('path');
Medium
Dynamic Require
Package source references dynamic require/import behavior.
index.jsView on unpkg · L17Findings
1 High2 Medium3 Low
HighKnown Malware Source Fingerprint Signatureindex.js
MediumDynamic Requireindex.js
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings