{"id":"MAL-2026-10155","summary":"Malicious code in notify-funcs (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9b65341bde476af6b80e1fbaa9f9a844b7fdc023ef02f5fabb88514d88012159)\nThe package presents itself as a pino-compatible logging middleware (exports `check` as both default and `pino` named export) but its actual behavior on invocation is to spawn a detached Node child running lib/vcall.js, which fetches JavaScript from an IPFS gateway URL (https://emerald-accurate-urial-9.mypinata.cloud/ipfs/bafkreify2ijjvromekknzxzvqaopft6muwlpl37mvmpdeazwzzkbjzkuxm) and executes the response via `new Function.constructor('require', src)(require)`, granting the remote payload full Node.js capabilities. The detached spawn is designed to survive parent exit. lib/const.js also ships base64-encoded strings (e.g. DEV_API_KEY decoding to https://jsonkeeper.com/b/ZK45J) referencing an anonymous paste-host endpoint consistent with additional staging. The logger-mimicking API surface and pino-shaped exports are a decoy for the remote-execution dropper: any consumer wiring this as Express middleware triggers arbitrary remote code execution on the host.\n","modified":"2026-07-10T17:17:00.938120755Z","published":"2026-07-10T16:46:45Z","database_specific":{"malicious-packages-origins":[{"sha256":"05def872b3ba2e02e9967fef76ccc5fbc0d316c4cd23b26146e1c7902d54bf7e","versions":["1.3.5"],"id":"IN-MAL-2026-009650","source":"amazon-inspector","import_time":"2026-07-10T17:10:14.388700861Z","modified_time":"2026-07-10T16:46:45Z"},{"sha256":"9b65341bde476af6b80e1fbaa9f9a844b7fdc023ef02f5fabb88514d88012159","source":"amazon-inspector","id":"IN-MAL-2026-009652","versions":["1.3.6"],"import_time":"2026-07-10T17:10:14.541660452Z","modified_time":"2026-07-10T16:47:04Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/notify-funcs/v/1.3.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/notify-funcs/v/1.3.6"}],"affected":[{"package":{"name":"notify-funcs","ecosystem":"npm","purl":"pkg:npm/notify-funcs"},"versions":["1.3.5","1.3.6"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/notify-funcs/MAL-2026-10155.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-xd0l+IkWVxYTExpHjD5ZqDeC/qtwWxs9QtA4Fk/EWvZfHGz1GHrDrNHJxGNFWx0t5aFzjFwlEoVzUkZ9SIR6Sg==","sha1":"f9dd2c36fb26af3c5d296b47cdb5e5d011fe59c1"},"filename":"notify-funcs-1.3.5.tgz"}],"evidence_files":[{"sha256":"ad035bfc06479ed046ec4f1ba6f340fdbf66fac5d30a1d1a7dd0f6fbe49779b6","tlsh":"f701b14a36b2715547de68d2950f49012cd3e2623607d4f07bccb3ca0fe2454cba3294","path":"index.js"},{"sha256":"f7e4d4d9f5f7e44d8ef858051e5132baa498af745164485c6fdbc7550192fa92","path":"package.json","tlsh":"df019720ce788e2300ed25924c2a0283b6618c175928fc2932eb512c4f9d5bf01ff12d"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}