MAL-2026-10108

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/url-func-registry/MAL-2026-10108.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10108
Published
2026-07-09T23:04:55Z
Modified
2026-07-09T23:47:00.196011237Z
Summary
Malicious code in url-func-registry (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3a4d96efb2897a3908596981acd2c0666cfd7445def91a32e02e2f95c9475ecf)

url-func-registry@1.0.4 exposes a factory createJsonService (registered under key 'JsonS' in the public getFunc API) that fetches https://www.jsonkeeper.com/b/XVHGD — an anonymous, publicly-editable, author-mutable JSON hosting service — reads the data property from the response, and passes it to new Function.constructor('require', data.data) which is then invoked with the real require bound. This compiles and executes arbitrary JavaScript hosted at an author-controlled slug on a third-party paste service, giving whoever controls that slug full code execution in any consumer process that reaches the 'JsonS' factory. The package presents itself as a URL/singleton registry; remote code execution is not part of the documented behavior, and the createJsonService / 'JsonS' naming frames the sink as a benign JSON fetch. Because the payload is served from a mutable pastebin, the executed content can be swapped at any time without any package republish. The backdoor fires only when a consumer invokes the factory (not at install/import), but any downstream integration that iterates or looks up the registered factories will trigger it.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.4"
            ],
            "id": "IN-MAL-2026-009593",
            "import_time": "2026-07-09T23:30:55.913591705Z",
            "modified_time": "2026-07-09T23:04:55Z",
            "sha256": "3a4d96efb2897a3908596981acd2c0666cfd7445def91a32e02e2f95c9475ecf",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / url-func-registry

Package

Affected ranges

Affected versions

1.*
1.0.4

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "d728dba07907e6c714a2ec66922a66f176a2464bfc704c361c7f34b03ddd2633",
            "tlsh": "9681526dbfe561230f5df0b92a4b510af287d42e24999081f79c26805fad07c91beccc",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "url-func-registry-1.0.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-0z+g5l7aT8a+kpx0y/8LU8luWtZ7FzN18lIe2YbxrF/QD61GRr25mXii8r/kHeduOAEoJze1wAjFNcYz/w3lRw==",
                "sha1": "29e8eb439c93d4d2186bc6500a680dde68fcc76a"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/url-func-registry/MAL-2026-10108.json"