OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10483 confirms this npm version as malicious. The package's default export builds a URL from split constants (protocol/separator/domain/path/token resolving to https://svganchordev.net/icons/107), fetches JSON from that host, and passes the response field data.credits directly to new Function(...) which is then invoked with a require-capable evalContext. Any consumer calling the default export executes arbitrary JavaScript delivered live by svganchordev.net...
Advisory
MAL-2026-10483
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in route-processor (npm)
Details
The package's default export builds a URL from split constants (protocol/separator/domain/path/token resolving to https://svganchordev.net/icons/107), fetches JSON from that host, and passes the response field data.credits directly to new Function(...) which is then invoked with a require-capable evalContext. Any consumer calling the default export executes arbitrary JavaScript delivered live by svganchordev.net with full Node capabilities (require, process, Buffer, cwd). The URL is deliberately reassembled from separate string constants rather than written as a literal, concealing the endpoint from casual inspection. The package advertises itself as a React helper for HTTPS route processing and SVG generation, but declares runtime dependencies on @primno/dpapi (Windows DPAPI decryption used to unwrap Chrome/Edge-protected secrets), better-sqlite3 and sqlite3 (used to read browser Login Data / Cookies databases), and node-machine-id (host fingerprinting). These dependencies have no role in the advertised functionality; they are the primitives the remotely-fetched code loads via require to harvest browser-stored credentials from the installer's machine.
Decision reason
OpenSSF Malicious Packages via OSV confirms route-processor@3.1.5 as malicious (MAL-2026-10483): Malicious code in route-processor (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory