mal-2026-6707
Vulnerability from ossf_malicious_packages
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (ceb1026a96918a3f4ed4c7c4f0aa75411c3869f1ad14405174e396b4e67907d2)
index.js exports an undocumented getPlugin() function which, when invoked, performs an HTTP GET to https://shorturl.at/147uq, JSON-parses the response body, and passes the response's model field directly to eval(). The URL is a mutable shortener redirect controlled by the package author and can be repointed to any JavaScript payload at any time, giving the author arbitrary code execution in the process of any consumer that calls getPlugin()(). The package's stated purpose is an SVG helper: package.json describes it as 'Tiny zero-dependency SVG helper for Node.js' and declares no dependencies, yet index.js requires the 'request' library and implements the fetch+eval path. The network+eval behavior is unrelated to SVG processing and is not mentioned in the README, keywords, or exports documentation. The mismatch between advertised purpose and shipped behavior, combined with the shortener-cloaked destination, is deliberate concealment of a backdoor surface.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
- CWE-506 - The product contains code that appears to be malicious in nature.
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "index.js",
"sha256": "1e9093e063cbdb4bc79725ebcde0535ef0d4af6fc9b351a0850d930ddd98a044",
"tlsh": "b14101697dfb65654363b0b82487c0153572e027a66e4ed0abce0d642f9c1fc0df6ae4"
}
],
"package_integrity": [
{
"filename": "svgson-lite-1.0.1.tgz",
"hashes": {
"sha1": "a16b7e44a00aa54ea5aa732a582a81550904c1b6",
"sha512_sri": "sha512-a7c36n5RYybxaZfOdwVyNPbdf/o5I6FfvS/Bt1LjJhyeF9Q8WXol+sQi5j4flbG4Its3+1VzL0cnB8RKoX+9Ww=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "svgson-lite"
},
"versions": [
"1.0.1",
"1.0.0",
"1.0.5",
"1.0.6",
"1.0.7",
"1.0.2",
"1.0.4"
]
}
],
"credits": [
{
"contact": [
"inspector-research@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-007851",
"import_time": "2026-07-01T19:11:23.809057427Z",
"modified_time": "2026-07-01T18:35:47Z",
"sha256": "083b9db212b14d87917991f5faa63212319efaec6c2b573fa8d0efb1da747572",
"source": "amazon-inspector",
"versions": [
"1.0.1"
]
},
{
"id": "IN-MAL-2026-007852",
"import_time": "2026-07-01T19:11:23.920731572Z",
"modified_time": "2026-07-01T18:35:55Z",
"sha256": "74d7365a440703b3b3a7dd0486437fedd80cfb6fd4c0d5e636f32385621cb5df",
"source": "amazon-inspector",
"versions": [
"1.0.0"
]
},
{
"id": "IN-MAL-2026-007853",
"import_time": "2026-07-01T19:11:24.0866588Z",
"modified_time": "2026-07-01T18:36:05Z",
"sha256": "b54d78c3ce0a5c30a8060cc6086a5a5d410fc4ab24442aa93f16475a218e32f4",
"source": "amazon-inspector",
"versions": [
"1.0.5"
]
},
{
"id": "IN-MAL-2026-007848",
"import_time": "2026-07-01T19:11:23.503149023Z",
"modified_time": "2026-07-01T18:35:21Z",
"sha256": "ceb1026a96918a3f4ed4c7c4f0aa75411c3869f1ad14405174e396b4e67907d2",
"source": "amazon-inspector",
"versions": [
"1.0.6"
]
},
{
"id": "IN-MAL-2026-007849",
"import_time": "2026-07-01T19:11:23.596474468Z",
"modified_time": "2026-07-01T18:35:28Z",
"sha256": "3af541a1fe8000c1b4aa51ea183d7e780163090d6ca8a2a52dfcd0ebf7f388be",
"source": "amazon-inspector",
"versions": [
"1.0.7"
]
},
{
"id": "IN-MAL-2026-007850",
"import_time": "2026-07-01T19:11:23.700829044Z",
"modified_time": "2026-07-01T18:35:36Z",
"sha256": "6fb634869b533b95806d632f845ae1a10e6d23e3114f16f0626810367e54817f",
"source": "amazon-inspector",
"versions": [
"1.0.2"
]
},
{
"id": "IN-MAL-2026-007847",
"import_time": "2026-07-01T19:11:23.387408601Z",
"modified_time": "2026-07-01T18:35:11Z",
"sha256": "745e263630d68551c3f2002b051c37aee9a891e7edec1e2ed2725d27ff66bb65",
"source": "amazon-inspector",
"versions": [
"1.0.4"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ceb1026a96918a3f4ed4c7c4f0aa75411c3869f1ad14405174e396b4e67907d2)\nindex.js exports an undocumented getPlugin() function which, when invoked, performs an HTTP GET to https://shorturl.at/147uq, JSON-parses the response body, and passes the response\u0027s `model` field directly to eval(). The URL is a mutable shortener redirect controlled by the package author and can be repointed to any JavaScript payload at any time, giving the author arbitrary code execution in the process of any consumer that calls getPlugin()(). The package\u0027s stated purpose is an SVG helper: package.json describes it as \u0027Tiny zero-dependency SVG helper for Node.js\u0027 and declares no dependencies, yet index.js requires the \u0027request\u0027 library and implements the fetch+eval path. The network+eval behavior is unrelated to SVG processing and is not mentioned in the README, keywords, or exports documentation. The mismatch between advertised purpose and shipped behavior, combined with the shortener-cloaked destination, is deliberate concealment of a backdoor surface.\n",
"id": "MAL-2026-6707",
"modified": "2026-07-01T19:13:20Z",
"published": "2026-07-01T18:35:11Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/svgson-lite/v/1.0.1"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/svgson-lite/v/1.0.0"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/svgson-lite/v/1.0.5"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/svgson-lite/v/1.0.6"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/svgson-lite/v/1.0.7"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/svgson-lite/v/1.0.2"
},
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/svgson-lite/v/1.0.4"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in svgson-lite (npm)"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.