registry  /  svgson-lite  /  1.0.8

svgson-lite@1.0.8

Tiny zero-dependency SVG helper for Node.js

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6707 confirms this npm version as malicious. index.js exports an undocumented getPlugin() function which, when invoked, performs an HTTP GET to https://shorturl.at/147uq, JSON-parses the response body, and passes the response's `model` field directly to eval()...

Advisory
MAL-2026-6707
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in svgson-lite (npm)
Details
index.js exports an undocumented getPlugin() function which, when invoked, performs an HTTP GET to https://shorturl.at/147uq, JSON-parses the response body, and passes the response's `model` field directly to eval(). The URL is a mutable shortener redirect controlled by the package author and can be repointed to any JavaScript payload at any time, giving the author arbitrary code execution in the process of any consumer that calls getPlugin()(). The package's stated purpose is an SVG helper: package.json describes it as 'Tiny zero-dependency SVG helper for Node.js' and declares no dependencies, yet index.js requires the 'request' library and implements the fetch+eval path. The network+eval behavior is unrelated to SVG processing and is not mentioned in the README, keywords, or exports documentation. The mismatch between advertised purpose and shipped behavior, combined with the shortener-cloaked destination, is deliberate concealment of a backdoor surface.
Decision reason
OpenSSF Malicious Packages via OSV confirms svgson-lite@1.0.8 as malicious (MAL-2026-6707): Malicious code in svgson-lite (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory