MAL-2026-10152

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/notifier-funcs/MAL-2026-10152.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10152
Published
2026-07-10T16:46:28Z
Modified
2026-07-10T17:17:02.359630283Z
Summary
Malicious code in notifier-funcs (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4da033e00206575ad1328031d625b6c6281332e9ecf5514feae6e99cb285d021)

On require, index.js spawns a detached Node child (spawn('node', [...], {detached:true, stdio:'inherit'}); child.unref()) that runs lib/vcall.js. That script fetches JavaScript from the hardcoded endpoint https://api.jsonsilo.com/public/c6c0b393-932f-4ae1-8fca-23c6747f4acc via axios, extracts the.data.model field, and executes it through Function.constructor(...)('require',...), yielding arbitrary code execution on the installer's machine controlled by whoever manages that endpoint. lib/const.js also carries a base64-encoded secondary endpoint decoding to https://jsonkeeper.com/b/ZK45J. The package presents itself as a pino-style logger but ships no such functionality; the exported surface is a cover for the remote-fetch-and-eval behavior. The remote source is a mutable third-party JSON hosting service whose content can be swapped at any time, and the detached-child pattern hides the payload from the parent process.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "4da033e00206575ad1328031d625b6c6281332e9ecf5514feae6e99cb285d021",
            "id": "IN-MAL-2026-009648",
            "import_time": "2026-07-10T17:10:14.17173902Z",
            "modified_time": "2026-07-10T16:46:28Z",
            "versions": [
                "1.3.4"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / notifier-funcs

Package

Affected ranges

Affected versions

1.*
1.3.4

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "notifier-funcs-1.3.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-TJXocI8/ePJ1GJOXu2zPGV9Gi8IrsJDvqVzoSHFm2S1mLgkL0pLXjqw5CfYn16VD0c97CR/VtRIeXGhQJ3g2GA==",
                "sha1": "cdf713b850c7e271def738fb0ab04f67da688732"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "1b1079116bb2f4ec55dd8aeedf9c91f3060d178c9168b6b15f1ce0fba7ba6260",
            "tlsh": "aff0a35e30fb1469567220f5570f41217002e526392ad9d676cc53810f995662677ba4",
            "path": "lib/vcall.js"
        },
        {
            "tlsh": "cef0ac4636f5a7a052249e85ea0be8363cc2c4357301edb082cef5d50743a6c86bb5d8",
            "sha256": "a8a42982be73e18609aa4e0c0ff2a27e7fbdb6fed4b48a85daf9231ff667fcca",
            "path": "index.js"
        },
        {
            "sha256": "9879ffb0bf61edef7e9b90ddc5fac9770c514c0cdecd9a07b15e8a677e6f8f74",
            "tlsh": "8ac08c8351e4a89704301773610ca995f2a1d26f0c840b0331f594844a396a93840fbb",
            "path": "lib/const.js"
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/notifier-funcs/MAL-2026-10152.json"