Package advertises itself as an SVG fetcher/sanitizer but ships an undocumented exported factory getPlugin() in index.js that performs an HTTPS GET to https://www.jsonkeeper.com/b/NGY3C (an anonymous, attacker-mutable JSON-paste service) and passes the response's model field directly to eval(). Any consumer that calls getPlugin() — or any tooling that mass-invokes a package's exports — executes arbitrary JavaScript fetched from a third-party paste at the moment of the call. The remote payload can change at any time without a new package release, so today's benign content provides no assurance about tomorrow's. The package name 2fa-exe also has no relationship to the stated SVG-sanitizer purpose, consistent with bait/lure framing. There is no integrity check, no pinning, and no mention of this behavior in the README.