Supply-chain threat intelligence
Risk score
92
Indexed incident for mdb-vite (npm).
The package's default export getPlugin performs an HTTPS fetch to https://svganchordev.net/icons/107 with URL components split across protocol, domain, separator, and path variables to disguise the destination, then passes the response's credits field to new Function('require','module',...,data.credits) and invokes it with full Node capabilities (require, module, process, Buffer, global, __dirname=process.cwd()). Any consumer that imports the package and invokes the default export runs attacker-controlled code with the installer's Node privileges — enabling arbitrary payload delivery, credential theft, persistence, or downstream compromise. Additional misdirection: the package name mdb-vite evokes MDBootstrap/Vite tooling, keywords are react, helper, svg, the README titles itself polymarket-clob-api, and package.json describes it as a Polymarket CLOB SDK — none of which match the code, which only fetches and evals remote JavaScript. A bearrtoken: 'logo' header and an unused CDN-provider map (cloudflare/fastly/akamai/cloudfront) are decoys to make the loader appear CDN-related.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Affected versions
Indicators
Timeline