MAL-2026-10206

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nullrift/MAL-2026-10206.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10206
Published
2026-07-12T20:48:13Z
Modified
2026-07-12T21:01:53.766383359Z
Summary
Malicious code in nullrift (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (29ebce322ac712405bfd29254cbd8f820c20ddc083587693a982b75ef6f3039a)

Package advertises itself as an SVG fetcher/sanitizer but its main module also exports an undocumented getPlugin() function. The returned function performs an HTTP request to https://www.jsonkeeper.com/b/3P9BF with a custom 'bearrtoken' header, parses the JSON response, and passes the 'model' field directly to eval(). jsonkeeper.com is a public, mutable, anonymous paste host — whoever controls the paste can change its contents at any time and thereby execute arbitrary JavaScript inside any consumer process that invokes the exported function. The hidden code path is inconsistent with the package's declared SVG-utility purpose and is the canonical shape of a supply-chain backdoor giving the paste operator remote code execution on downstream consumers.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "29ebce322ac712405bfd29254cbd8f820c20ddc083587693a982b75ef6f3039a",
            "id": "IN-MAL-2026-009763",
            "import_time": "2026-07-12T20:48:33.915355911Z",
            "modified_time": "2026-07-12T20:48:13Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / nullrift

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "nullrift-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-5nvX9lgT4GNVCH8fW3YpjfXFCruzSlqvkP+TtyzMc4AyB6hU/C8hVhiGcHwbRrIpB3Mx4BU86WSCG0XCH08nsQ==",
                "sha1": "ec39b41ee777c1eea48ff86485437d361502b76a"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "3a0e1400a7ac8e8b984beef2f330af7a144b04723016ef07681ac0294a725444",
            "tlsh": "767111a8999b7095d6b1e3e447135015f559d1672208c3d4b6acc6983f7172c90f3eec",
            "path": "index.js"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/nullrift/MAL-2026-10206.json"