MAL-2026-6715

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/svgcraft-core/MAL-2026-6715.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6715
Published
2026-07-01T20:48:15Z
Modified
2026-07-01T21:16:43.337875835Z
Summary
Malicious code in svgcraft-core (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3d44028203c0771b7e6d77ac8addb4d100be6e75992c7ef0bd066035aba86d31)

The CommonJS entry point exports an undocumented getPlugin() factory that fetches a URL-shortener target (https://shorturl.at/nkw3a) and passes a JSON field from the response to eval, executing attacker-controlled JavaScript inside the caller's Node.js process. The shortener destination is mutable, so the operator can swap the executed payload at any time without republishing the package. Additional concealment signals: the function uses cover-story field names (bearrtoken: 'logo', parsed.cookie guarding eval(parsed.model)); the backdoor exists only in the CommonJS build (the ESM entry omits it); the file requires an undeclared request dependency; and the README advertises 'zero dependencies' and does not mention this behavior. Any consumer invoking getPlugin()() via the CJS build will execute remote code chosen by whoever controls the shortener.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.1"
            ],
            "sha256": "1407a3b83a7eff7ec054312944ce4bf2c39fc1a26d9c16cda9f7c3c4afa72187",
            "modified_time": "2026-07-01T20:48:15Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007900",
            "import_time": "2026-07-01T21:04:20.940834484Z"
        },
        {
            "versions": [
                "1.0.2"
            ],
            "sha256": "3d44028203c0771b7e6d77ac8addb4d100be6e75992c7ef0bd066035aba86d31",
            "source": "amazon-inspector",
            "modified_time": "2026-07-01T20:48:49Z",
            "id": "IN-MAL-2026-007904",
            "import_time": "2026-07-01T21:04:21.214869201Z"
        },
        {
            "versions": [
                "1.0.4"
            ],
            "sha256": "5207167735bdb696743300e61746560ce445beb11da6005ebf7710b7be3408f2",
            "modified_time": "2026-07-01T20:48:25Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-007901",
            "import_time": "2026-07-01T21:04:21.007200975Z"
        },
        {
            "versions": [
                "1.0.3"
            ],
            "sha256": "a18879a0b6e0246f4c05a677423bbb9a6aaf8c533467937236288c41e42ef011",
            "modified_time": "2026-07-01T20:48:42Z",
            "source": "amazon-inspector",
            "import_time": "2026-07-01T21:04:21.126557338Z",
            "id": "IN-MAL-2026-007903"
        }
    ]
}
References
Credits

Affected packages

npm / svgcraft-core

Package

Affected ranges

Affected versions

1.*
1.0.1
1.0.2
1.0.3
1.0.4

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "svgcraft-core-1.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-56b0w1Q/C5DqzyYbwZo4Rz6wTZ33FgjucWjQOi0g/CRAS6lLn+omUdVYZL5WDwszpZ0pXMVcLBpiGkEgL2sb9A==",
                "sha1": "09180763fb0685307b86813631688d798d2f6286"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "81459e0c5668e3003f757a40aa97298f2b038a1c11116a078a4df7c55460c4bf",
            "path": "src/index.cjs",
            "tlsh": "650293287cf364920b63709d45cb90ac34b6e507345bde50aa6c49012fa83ace1f7bbd"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/svgcraft-core/MAL-2026-6715.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]