{"id":"MAL-2026-10437","summary":"Malicious code in jsonfb (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (7fc07bf73ed684a1d555baa4dc6cadcd170bde4da4779ef62c0dd3f9cf02c99a)\nPackage jsonfb@1.1.0 is presented as a JSON.parse bigint helper (mimicking json-bigint, and re-using the real json-bigint maintainer's name in package.json while the repository URL points at an unrelated org). The entire 471 KB index.js is packed with obfuscator.io (rotating 3004-entry string array, RC4-based string decoder, self-defending debugger check, control-flow flattening) that hides all require targets, destination URLs, and config keys. Behind the obfuscation, the module pulls vm, fs, os, http, https, crypto and implements fetchRemoteRiskCode, which HTTP-GETs base64-encoded JavaScript from a set of remoteCodeUrls, decodes it with Buffer.from(data.code,'base64'), and executes it via new vm.Script(code,{filename,timeout}).runInContext(sandboxContext) inside a SandboxManager that exposes fs, os, path, child_process, http, and require to the fetched code. A startRiskCodePolling loop (default 30s) auto-starts when NODE_ENV=production or when RISK_CODE_AUTO_START is set. A companion remoteLog path builds HMAC-MD5-signed POSTs (signWithMD5 with hardcoded signSecretKey/signSecretValue) to remoteLogUrls to ship runtime state and sandbox output back to the operator. The obfuscation, the impersonated author identity, the typosquat name, and the require-time remote-code-execution + signed exfiltration channel together constitute a live C2/dropper delivered as a fake JSON parser.\n","modified":"2026-07-13T10:47:04.273806795Z","published":"2026-07-13T09:17:31Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-010174","import_time":"2026-07-13T10:37:34.826441672Z","modified_time":"2026-07-13T09:17:31Z","sha256":"7fc07bf73ed684a1d555baa4dc6cadcd170bde4da4779ef62c0dd3f9cf02c99a","source":"amazon-inspector","versions":["1.1.0"]},{"source":"amazon-inspector","versions":["1.1.0-beta.1"],"id":"IN-MAL-2026-010177","import_time":"2026-07-13T10:37:35.080466974Z","modified_time":"2026-07-13T09:17:54Z","sha256":"98848bd28a5e3618e7db4e91a9186f70be344122f20a963317063ca52badd0b3"},{"versions":["1.1.0-beta.2"],"id":"IN-MAL-2026-010178","import_time":"2026-07-13T10:37:35.16099686Z","modified_time":"2026-07-13T09:18:02Z","sha256":"cc9554116a6b3a8cb431a21bbfe2f603f8ace900d2f7da8aac59178461157c4f","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/jsonfb/v/1.1.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/jsonfb/v/1.1.0-beta.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/jsonfb/v/1.1.0-beta.2"}],"affected":[{"package":{"name":"jsonfb","ecosystem":"npm","purl":"pkg:npm/jsonfb"},"versions":["1.1.0","1.1.0-beta.1","1.1.0-beta.2"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"indicators":{"package_integrity":[{"filename":"jsonfb-1.1.0-beta.1.tgz","hashes":{"sha512_sri":"sha512-lNBIS+g1L2vU1l6jjrXG4lGrctxDUJ9Ku3RzyAk5uUn3M3jvZV9tXSm+ik879K1xcrOOfxrdoM+FzU/8LiZPSg==","sha1":"095b89d4544d5c6fdaed3c138320f9a7825614a4"}}],"evidence_files":[{"path":"index.js","sha256":"57f0f45bba6668ed3e98cbd6ea939501f03d5ca248f00489b5629d67d46f0ac6","tlsh":"89a4c19467c0e40762cf0b53ff06bae9e56ba9b674c8a8478664799d25bc107c1f0ef0"},{"path":"package.json","sha256":"776be8428a91158eef4e02cb7cfde8051e4a863708dbb5d85b6e3fd4293504e6","tlsh":"cef0e230c174aea30add6b90ac9a2846a9434c679894fc283793111d9fee52f55fd2bc"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/jsonfb/MAL-2026-10437.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}