{"id":"MAL-2026-10153","summary":"Malicious code in notifier-log (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f4c2346bef8105dc24079ee47eb8cd65dbb92f7dbbd6d17ac0c576646878298c)\nThe package presents itself as a pino-compatible logger (main entry exports a middleware aliased as `pino`, and `lib/` contains pino-shaped files such as proto.js, redaction.js, multistream.js, transport.js), but its middleware spawns a detached child process running `lib/caller.js` which fetches a JSON blob from a hardcoded jsonkeeper.com paste, extracts a `.cookie` string, and passes it to `new Function.constructor('require', s)(require)`. This executes attacker-controlled JavaScript with full `require` access under the installer's Node process. A base64-encoded backup endpoint and secret header key are stored in `lib/const.js` (decoding to a second jsonkeeper.com paste URL with an `x-secret-key` header), providing a redundant delivery channel. Because jsonkeeper.com is a mutable public paste site, the served payload can be changed at any moment. The logger API is a cover story for the dropper.\n","modified":"2026-07-10T17:17:00.873390387Z","published":"2026-07-10T16:46:36Z","database_specific":{"malicious-packages-origins":[{"sha256":"f4c2346bef8105dc24079ee47eb8cd65dbb92f7dbbd6d17ac0c576646878298c","import_time":"2026-07-10T17:10:14.265302954Z","versions":["1.3.5"],"source":"amazon-inspector","id":"IN-MAL-2026-009649","modified_time":"2026-07-10T16:46:36Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/notifier-log/v/1.3.5"}],"affected":[{"package":{"name":"notifier-log","ecosystem":"npm","purl":"pkg:npm/notifier-log"},"versions":["1.3.5"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"sha256":"c94c68398967a72596733d62b40d3b2df9490056a3b25bfd96333d0a88d84624","tlsh":"e701cb8f30fd101c019122e66b1fe4327010e85b390ae4d4374c87521ffa5aeaa53ede","path":"lib/caller.js"},{"sha256":"32e82853dd646aac388b78f868241267a5e6483d847df3d4c843f8100590d469","tlsh":"30213f8175f111480658d9c8b569e5363ce3c4377207b9b0e9ecb7862bcf20c0272ad7","path":"index.js"},{"sha256":"9879ffb0bf61edef7e9b90ddc5fac9770c514c0cdecd9a07b15e8a677e6f8f74","tlsh":"8ac08c8351e4a89704301773610ca995f2a1d26f0c840b0331f594844a396a93840fbb","path":"lib/const.js"}],"package_integrity":[{"hashes":{"sha1":"96b24e2f513daab0bd05464190d041c7dffe4a38","sha512_sri":"sha512-mrBngV/OZyxmTEc/GS90RuK3DAKy5K7tS3tfPR9mYVAsQwY2lhqBFFSuMVqDSRFJIoHCh/UiuDdjfb0AUV1fHQ=="},"filename":"notifier-log-1.3.5.tgz"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/notifier-log/MAL-2026-10153.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}