{"id":"MAL-2026-10108","summary":"Malicious code in url-func-registry (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3a4d96efb2897a3908596981acd2c0666cfd7445def91a32e02e2f95c9475ecf)\nurl-func-registry@1.0.4 exposes a factory `createJsonService` (registered under key 'JsonS' in the public `getFunc` API) that fetches https://www.jsonkeeper.com/b/XVHGD — an anonymous, publicly-editable, author-mutable JSON hosting service — reads the `data` property from the response, and passes it to `new Function.constructor('require', data.data)` which is then invoked with the real `require` bound. This compiles and executes arbitrary JavaScript hosted at an author-controlled slug on a third-party paste service, giving whoever controls that slug full code execution in any consumer process that reaches the 'JsonS' factory. The package presents itself as a URL/singleton registry; remote code execution is not part of the documented behavior, and the `createJsonService` / 'JsonS' naming frames the sink as a benign JSON fetch. Because the payload is served from a mutable pastebin, the executed content can be swapped at any time without any package republish. The backdoor fires only when a consumer invokes the factory (not at install/import), but any downstream integration that iterates or looks up the registered factories will trigger it.\n","modified":"2026-07-09T23:47:00.196011237Z","published":"2026-07-09T23:04:55Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","modified_time":"2026-07-09T23:04:55Z","id":"IN-MAL-2026-009593","sha256":"3a4d96efb2897a3908596981acd2c0666cfd7445def91a32e02e2f95c9475ecf","versions":["1.0.4"],"import_time":"2026-07-09T23:30:55.913591705Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/url-func-registry/v/1.0.4"}],"affected":[{"package":{"name":"url-func-registry","ecosystem":"npm","purl":"pkg:npm/url-func-registry"},"versions":["1.0.4"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"path":"index.js","sha256":"d728dba07907e6c714a2ec66922a66f176a2464bfc704c361c7f34b03ddd2633","tlsh":"9681526dbfe561230f5df0b92a4b510af287d42e24999081f79c26805fad07c91beccc"}],"package_integrity":[{"filename":"url-func-registry-1.0.4.tgz","hashes":{"sha1":"29e8eb439c93d4d2186bc6500a680dde68fcc76a","sha512_sri":"sha512-0z+g5l7aT8a+kpx0y/8LU8luWtZ7FzN18lIe2YbxrF/QD61GRr25mXii8r/kHeduOAEoJze1wAjFNcYz/w3lRw=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/url-func-registry/MAL-2026-10108.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}