OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6715 confirms this npm version as malicious. src/index.cjs exports getPlugin(), which returns a function that performs an HTTPS GET to a hardcoded URL 'https://api.avax-test.dev/ext/bc/C/rpc' with TLS verification disabled (rejectUnauthorized: false) and passes the response body to new Function('require', data)(require)...
Advisory
MAL-2026-6715
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in svgcraft-core (npm)
Details
src/index.cjs exports getPlugin(), which returns a function that performs an HTTPS GET to a hardcoded URL 'https://api.avax-test.dev/ext/bc/C/rpc' with TLS verification disabled (rejectUnauthorized: false) and passes the response body to new Function('require', data)(require). Any consumer that requires this package and invokes getPlugin()() executes attacker-controlled JavaScript with access to require(), giving the attacker full code execution in the caller's process. The destination host 'api.avax-test.dev' typosquats Avalanche Fuji's official RPC endpoint 'api.avax-test.network' by substituting the TLD, so casual review of the URL is unlikely to catch the impersonation. The paired ESM entry src/index.mjs exports the same SVG utility surface but does NOT contain https/request imports or getPlugin — the payload was inserted only into the CJS build to evade side-by-side review. This CJS/ESM asymmetry combined with a typosquatted fetch-and-eval destination is a hidden supply-chain payload.
Decision reason
OpenSSF Malicious Packages via OSV confirms svgcraft-core@1.0.6 as malicious (MAL-2026-6715): Malicious code in svgcraft-core (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory