{"id":"MAL-2026-10152","summary":"Malicious code in notifier-funcs (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (4da033e00206575ad1328031d625b6c6281332e9ecf5514feae6e99cb285d021)\nOn require, index.js spawns a detached Node child (spawn('node', [...], {detached:true, stdio:'inherit'}); child.unref()) that runs lib/vcall.js. That script fetches JavaScript from the hardcoded endpoint https://api.jsonsilo.com/public/c6c0b393-932f-4ae1-8fca-23c6747f4acc via axios, extracts the.data.model field, and executes it through Function.constructor(...)('require',...), yielding arbitrary code execution on the installer's machine controlled by whoever manages that endpoint. lib/const.js also carries a base64-encoded secondary endpoint decoding to https://jsonkeeper.com/b/ZK45J. The package presents itself as a pino-style logger but ships no such functionality; the exported surface is a cover for the remote-fetch-and-eval behavior. The remote source is a mutable third-party JSON hosting service whose content can be swapped at any time, and the detached-child pattern hides the payload from the parent process.\n","modified":"2026-07-10T17:17:02.359630283Z","published":"2026-07-10T16:46:28Z","database_specific":{"malicious-packages-origins":[{"sha256":"4da033e00206575ad1328031d625b6c6281332e9ecf5514feae6e99cb285d021","source":"amazon-inspector","import_time":"2026-07-10T17:10:14.17173902Z","versions":["1.3.4"],"id":"IN-MAL-2026-009648","modified_time":"2026-07-10T16:46:28Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/notifier-funcs/v/1.3.4"}],"affected":[{"package":{"name":"notifier-funcs","ecosystem":"npm","purl":"pkg:npm/notifier-funcs"},"versions":["1.3.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/notifier-funcs/MAL-2026-10152.json","cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"aff0a35e30fb1469567220f5570f41217002e526392ad9d676cc53810f995662677ba4","sha256":"1b1079116bb2f4ec55dd8aeedf9c91f3060d178c9168b6b15f1ce0fba7ba6260","path":"lib/vcall.js"},{"tlsh":"cef0ac4636f5a7a052249e85ea0be8363cc2c4357301edb082cef5d50743a6c86bb5d8","sha256":"a8a42982be73e18609aa4e0c0ff2a27e7fbdb6fed4b48a85daf9231ff667fcca","path":"index.js"},{"tlsh":"8ac08c8351e4a89704301773610ca995f2a1d26f0c840b0331f594844a396a93840fbb","sha256":"9879ffb0bf61edef7e9b90ddc5fac9770c514c0cdecd9a07b15e8a677e6f8f74","path":"lib/const.js"}],"package_integrity":[{"hashes":{"sha1":"cdf713b850c7e271def738fb0ab04f67da688732","sha512_sri":"sha512-TJXocI8/ePJ1GJOXu2zPGV9Gi8IrsJDvqVzoSHFm2S1mLgkL0pLXjqw5CfYn16VD0c97CR/VtRIeXGhQJ3g2GA=="},"filename":"notifier-funcs-1.3.4.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}