{"id":"MAL-2026-10154","summary":"Malicious code in notify-dist (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1cf89f8fbe4c3f9ae9494077688977f46c8b3f875a552054508ac5eec7b62344)\nnotify-dist advertises itself as a pino-compatible logger/middleware (exports `module.exports.pino`, keywords fast/logger/stream/json, lib/ mirrors pino internals such as proto.js, multistream.js, redaction.js, transport.js), but the exported middleware's only side effect is to launch a remote-code loader. When a consumer requires the package and invokes the exported middleware, index.js spawns `node lib/caller.js` as a detached child with `stdio: 'ignore'` and `child.unref()` so the loader survives after the parent exits. lib/caller.js issues an HTTP GET to https://jsonkeeper.com/b/BPB86 via axios, reads the `.cookie` field of the response, and executes it as JavaScript via `new Function.constructor('require', s)(require)`, giving the fetched code full Node privileges including `require`. The loader retries up to 5 times and silences console.log to hide activity. lib/const.js additionally holds base64-encoded fields that decode to a second endpoint (https://jsonkeeper.com/b/ZK45J) and header name `x-secret-key`, serving as a rotation/backup payload URL. jsonkeeper.com is a mutable third-party JSON paste host, so the executed code is fully attacker-controlled and can change at any time. The pino-shaped API surface is a lure: consumers importing this expecting logger behavior get arbitrary remote code execution on their machine.\n","modified":"2026-07-10T17:17:00.969531508Z","published":"2026-07-10T16:46:54Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-10T17:10:14.455780209Z","modified_time":"2026-07-10T16:46:54Z","sha256":"1cf89f8fbe4c3f9ae9494077688977f46c8b3f875a552054508ac5eec7b62344","versions":["1.3.7"],"id":"IN-MAL-2026-009651","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/notify-dist/v/1.3.7"}],"affected":[{"package":{"name":"notify-dist","ecosystem":"npm","purl":"pkg:npm/notify-dist"},"versions":["1.3.7"],"database_specific":{"indicators":{"package_integrity":[{"filename":"notify-dist-1.3.7.tgz","hashes":{"sha1":"7240e029dcaa2260310f058492803035d5de57a8","sha512_sri":"sha512-ly4lSkXwVJZLxIEK6gASN1Js/wstopvpFXwoDhGwLaJbdqOlDsmIUEF4zyakkWbs5AyluPMPyKCknzlN1kmQwA=="}}],"evidence_files":[{"tlsh":"f601fe4e30fd201c42a120d55b1fa4327021e86b390ae4d5734cc7521fe656eae23fdd","sha256":"0eb54b2e747503e5eb4ef23794f55bd236c66a580bfec44e8c227fc3d7b6c73a","path":"lib/caller.js"},{"tlsh":"30213f8175f111480658d9c8b569e5363ce3c4377207b9b0e9ecb7862bcf20c0272ad7","sha256":"32e82853dd646aac388b78f868241267a5e6483d847df3d4c843f8100590d469","path":"index.js"},{"tlsh":"d5019720de789e2304ed25825c2a0643b6758c176928fc2933eb512d0f9d5bf01bf26e","sha256":"a063ebdf36bb5c393c0c5b098e2627355405d231f58ff420216b1ae9997393a5","path":"package.json"},{"tlsh":"8ac08c8351e4a89704301773610ca995f2a1d26f0c840b0331f594844a396a93840fbb","sha256":"9879ffb0bf61edef7e9b90ddc5fac9770c514c0cdecd9a07b15e8a677e6f8f74","path":"lib/const.js"}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/notify-dist/MAL-2026-10154.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}