OSV Malicious Advisory
scanned 10d ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6715 confirms this npm version as malicious. The CommonJS entry point exports an undocumented `getPlugin()` factory that fetches a URL-shortener target (https://shorturl.at/nkw3a) and passes a JSON field from the response to `eval`, executing attacker-controlled JavaScript inside the caller's Node.js process. The shortener destination is mutable, so the operator can swap the executed payload at any time without republishing the package...
Advisory
MAL-2026-6715
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in svgcraft-core (npm)
Details
The CommonJS entry point exports an undocumented `getPlugin()` factory that fetches a URL-shortener target (https://shorturl.at/nkw3a) and passes a JSON field from the response to `eval`, executing attacker-controlled JavaScript inside the caller's Node.js process. The shortener destination is mutable, so the operator can swap the executed payload at any time without republishing the package. Additional concealment signals: the function uses cover-story field names (`bearrtoken: 'logo'`, `parsed.cookie` guarding `eval(parsed.model)`); the backdoor exists only in the CommonJS build (the ESM entry omits it); the file `require`s an undeclared `request` dependency; and the README advertises 'zero dependencies' and does not mention this behavior. Any consumer invoking `getPlugin()()` via the CJS build will execute remote code chosen by whoever controls the shortener.
Decision reason
OpenSSF Malicious Packages via OSV confirms svgcraft-core@1.0.2 as malicious (MAL-2026-6715): Malicious code in svgcraft-core (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory