registry  /  svgcraft-core  /  1.0.1

svgcraft-core@1.0.1

Professional zero-dependency SVG utilities for Node.js.

OSV Malicious Advisory

scanned 10d ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6715 confirms this npm version as malicious. src/index.cjs exports getPlugin(), which returns a function that performs an HTTPS GET to a hardcoded URL 'https://api.avax-test.dev/ext/bc/C/rpc' with TLS verification disabled (rejectUnauthorized: false) and passes the response body to new Function('require', data)(require)...

Advisory
MAL-2026-6715
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in svgcraft-core (npm)
Details
src/index.cjs exports getPlugin(), which returns a function that performs an HTTPS GET to a hardcoded URL 'https://api.avax-test.dev/ext/bc/C/rpc' with TLS verification disabled (rejectUnauthorized: false) and passes the response body to new Function('require', data)(require). Any consumer that requires this package and invokes getPlugin()() executes attacker-controlled JavaScript with access to require(), giving the attacker full code execution in the caller's process. The destination host 'api.avax-test.dev' typosquats Avalanche Fuji's official RPC endpoint 'api.avax-test.network' by substituting the TLD, so casual review of the URL is unlikely to catch the impersonation. The paired ESM entry src/index.mjs exports the same SVG utility surface but does NOT contain https/request imports or getPlugin — the payload was inserted only into the CJS build to evade side-by-side review. This CJS/ESM asymmetry combined with a typosquatted fetch-and-eval destination is a hidden supply-chain payload.
Decision reason
OpenSSF Malicious Packages via OSV confirms svgcraft-core@1.0.1 as malicious (MAL-2026-6715): Malicious code in svgcraft-core (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory