{"id":"MAL-2026-10157","summary":"Malicious code in notify-theme (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d9cbb2ac45124e3844e29f3efd70ca26f0089ec4eaad718bcbdaf3035ec9b34b)\nThe package impersonates the pino logger API (exports `module.exports.pino = middleware`, ships pino-style files such as lib/proto.js, lib/multistream.js, lib/transport.js, and declares logger-oriented keywords) while its actual behavior is a remote-code dropper. When a consumer imports and invokes the exported middleware, index.js spawns a detached Node child running lib/caller.js, which HTTP-GETs https://jsonkeeper.com/b/K80JD and passes the response body to `new Function.constructor('require', s)`, then invokes it with the host process's `require` — granting the remote endpoint arbitrary code execution inside the installer's Node process with full module access. lib/caller.js disguises the destination by shadowing `process` with a local object whose `env` fields (API_KEY, SECRET_KEY, SECRET_VALUE) actually hold the C2 URL and header pair. lib/const.js contains a base64-encoded backup endpoint that decodes to https://jsonkeeper.com/b/ZK45J. jsonkeeper.com is an anonymous, author-mutable paste host, so the executed payload can change at any time without a package update. The pino-API impersonation on an unrelated package name (`notify-theme`) is a lure so that developers looking for a logger trigger the dropper.\n","modified":"2026-07-10T17:17:00.918850192Z","published":"2026-07-10T16:47:11Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-10T17:10:14.70376137Z","sha256":"7d239abc86d6b02bdc5f88d30fca94ca60124df408762b77df76af4ca4cc5805","source":"amazon-inspector","modified_time":"2026-07-10T16:47:18Z","versions":["1.3.5"],"id":"IN-MAL-2026-009654"},{"import_time":"2026-07-10T17:10:14.61743519Z","sha256":"a357a8e0ad89f5ad9c14920eecd04d2c1d13e1dfd2ec9399980fe95127f584f4","source":"amazon-inspector","id":"IN-MAL-2026-009653","versions":["1.3.6"],"modified_time":"2026-07-10T16:47:11Z"},{"import_time":"2026-07-10T17:10:15.302385316Z","sha256":"d9cbb2ac45124e3844e29f3efd70ca26f0089ec4eaad718bcbdaf3035ec9b34b","source":"amazon-inspector","modified_time":"2026-07-10T16:47:57Z","versions":["1.3.7"],"id":"IN-MAL-2026-009658"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/notify-theme/v/1.3.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/notify-theme/v/1.3.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/notify-theme/v/1.3.7"}],"affected":[{"package":{"name":"notify-theme","ecosystem":"npm","purl":"pkg:npm/notify-theme"},"versions":["1.3.5","1.3.6","1.3.7"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/notify-theme/MAL-2026-10157.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"tlsh":"e701cb8f30fd101c019122e66b1fe4327010e85b390ae4d4374c87521ffa5aeaa53ede","sha256":"c94c68398967a72596733d62b40d3b2df9490056a3b25bfd96333d0a88d84624","path":"lib/caller.js"},{"tlsh":"30213f8175f111480658d9c8b569e5363ce3c4377207b9b0e9ecb7862bcf20c0272ad7","sha256":"32e82853dd646aac388b78f868241267a5e6483d847df3d4c843f8100590d469","path":"index.js"},{"tlsh":"8ac08c8351e4a89704301773610ca995f2a1d26f0c840b0331f594844a396a93840fbb","sha256":"9879ffb0bf61edef7e9b90ddc5fac9770c514c0cdecd9a07b15e8a677e6f8f74","path":"lib/const.js"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-cmOshcwbdMb8SNWoyj01eH5bGZdzngqOqEM148lVOaI6GXiJRy0HGHzm5pOFtVGDazLj+QPPX4lunRIFPhTCaA==","sha1":"f1e91ad29b3eeac42e378417b0638b1e6294b546"},"filename":"notify-theme-1.3.5.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}