MAL-2026-10114

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/driftpin/MAL-2026-10114.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10114
Published
2026-07-10T06:45:55Z
Modified
2026-07-10T08:01:50.829295643Z
Summary
Malicious code in driftpin (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bb2b2601b0e4e6659a7fd042e4f227e3d22880c51355a793dbdc2e42d39805d5)

driftpin@1.0.0 advertises itself in the README as an SVG sanitization/minification/conversion utility, but the only actual export from index.js is an undocumented function getPlugin. When a consumer calls getPlugin()(), the returned closure performs an HTTP GET against https://www.jsonkeeper.com/b/3P9BF — an anonymous, mutable paste host — parses the JSON response, and passes the response's model field directly to eval. Whoever controls the paste can change its contents at any moment to run arbitrary JavaScript inside any process that loads driftpin and invokes the export. The advertised SVG functionality is a cover story; the documented API surface (sanitizeSVG/minifySVG/saveSVG/convertSVGToPNG) is not actually exported. Additionally, index.js require('request') without declaring request in package.json dependencies, indicating the backdoor was grafted onto an unrelated skeleton.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "bb2b2601b0e4e6659a7fd042e4f227e3d22880c51355a793dbdc2e42d39805d5",
            "id": "IN-MAL-2026-009606",
            "import_time": "2026-07-10T07:46:08.010760242Z",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-07-10T06:45:55Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / driftpin

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "3a0e1400a7ac8e8b984beef2f330af7a144b04723016ef07681ac0294a725444",
            "tlsh": "767111a8999b7095d6b1e3e447135015f559d1672208c3d4b6acc6983f7172c90f3eec",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "driftpin-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-xYcAJvTjWwLjb+4paktRiKT+m+R4PZ6NpWAo0ipyUcrITh8Ww4DObZAaM/TjotnbRbxDdSKdrkbX2gBlEe0akg==",
                "sha1": "d7c870e55eeb8b04adc05c8b201d997755266058"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/driftpin/MAL-2026-10114.json"