MAL-2026-6068

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/swift-parse-stream/MAL-2026-6068.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6068

Published

2026-06-17T16:37:42Z

Modified

2026-06-18T19:31:45.964700373Z

Summary

Malicious code in swift-parse-stream (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8ab8561c6c561b045d817d4fab3aa0754ce7cd767a3c5ec07b95151dda6b92c8)

swift-parse-stream advertises itself as an SVG sanitizer/minifier but ships an undocumented getPlugin export in index.js that, when invoked, performs an HTTP GET against https://www.jsonkeeper.com/b/3P9BF (an anonymous user-paste host) and runs eval(parsed.model) on the returned JSON's model field. The destination is attacker-controlled and mutable: whoever controls the paste can change the executed JavaScript at any time without republishing the package. The README does not mention this code path. Any caller — typically a second compromised package chaining into this one — that reaches getPlugin() hands arbitrary remote code execution to the paste's owner, running in the consumer application's process with its full privileges and access to its environment, filesystem, and network.

Database specific

{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "versions": [
                "1.0.2"
            ],
            "sha256": "8ab8561c6c561b045d817d4fab3aa0754ce7cd767a3c5ec07b95151dda6b92c8",
            "modified_time": "2026-06-17T16:37:42Z",
            "import_time": "2026-06-17T17:32:18.610311636Z",
            "id": "IN-MAL-2026-006905"
        },
        {
            "source": "amazon-inspector",
            "versions": [
                "1.0.0"
            ],
            "sha256": "62d1882f72b9b1292d6ba9c0f7fad9e1df0b3eb60d3a34f4b2f569223a466480",
            "modified_time": "2026-06-18T19:12:19Z",
            "id": "IN-MAL-2026-007031",
            "import_time": "2026-06-18T19:20:03.747682205Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / swift-parse-stream

Package

Name: swift-parse-stream; View open source insights on deps.dev
Purl: pkg:npm/swift-parse-stream

Affected ranges

Affected versions

1.*

1.0.0

1.0.2

Database specific

indicators

{
    "package_integrity": [
        {
            "filename": "swift-parse-stream-1.0.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-wG0o/vj/OGeoZ7Kh6jbx+mPRzBj5U11KbfaBpOoVj2yrOi5JLEJqK+WxeRF4JTJQKOQxhFfVG78taOjvMLLh8Q==",
                "sha1": "1e113e8a3840e6da087fe3fc63c8937861da7a67"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "3a0e1400a7ac8e8b984beef2f330af7a144b04723016ef07681ac0294a725444",
            "tlsh": "767111a8999b7095d6b1e3e447135015f559d1672208c3d4b6acc6983f7172c90f3eec",
            "path": "index.js"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/swift-parse-stream/MAL-2026-6068.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]