-= Per source details. Do not edit below this line.=-
On require, index.js spawns a detached Node child (spawn('node', [...], {detached:true, stdio:'inherit'}); child.unref()) that runs lib/vcall.js. That script fetches JavaScript from the hardcoded endpoint https://api.jsonsilo.com/public/c6c0b393-932f-4ae1-8fca-23c6747f4acc via axios, extracts the.data.model field, and executes it through Function.constructor(...)('require',...), yielding arbitrary code execution on the installer's machine controlled by whoever manages that endpoint. lib/const.js also carries a base64-encoded secondary endpoint decoding to https://jsonkeeper.com/b/ZK45J. The package presents itself as a pino-style logger but ships no such functionality; the exported surface is a cover for the remote-fetch-and-eval behavior. The remote source is a mutable third-party JSON hosting service whose content can be swapped at any time, and the detached-child pattern hides the payload from the parent process.
{
"malicious-packages-origins": [
{
"sha256": "4da033e00206575ad1328031d625b6c6281332e9ecf5514feae6e99cb285d021",
"id": "IN-MAL-2026-009648",
"import_time": "2026-07-10T17:10:14.17173902Z",
"modified_time": "2026-07-10T16:46:28Z",
"versions": [
"1.3.4"
],
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "notifier-funcs-1.3.4.tgz",
"hashes": {
"sha512_sri": "sha512-TJXocI8/ePJ1GJOXu2zPGV9Gi8IrsJDvqVzoSHFm2S1mLgkL0pLXjqw5CfYn16VD0c97CR/VtRIeXGhQJ3g2GA==",
"sha1": "cdf713b850c7e271def738fb0ab04f67da688732"
}
}
],
"evidence_files": [
{
"sha256": "1b1079116bb2f4ec55dd8aeedf9c91f3060d178c9168b6b15f1ce0fba7ba6260",
"tlsh": "aff0a35e30fb1469567220f5570f41217002e526392ad9d676cc53810f995662677ba4",
"path": "lib/vcall.js"
},
{
"tlsh": "cef0ac4636f5a7a052249e85ea0be8363cc2c4357301edb082cef5d50743a6c86bb5d8",
"sha256": "a8a42982be73e18609aa4e0c0ff2a27e7fbdb6fed4b48a85daf9231ff667fcca",
"path": "index.js"
},
{
"sha256": "9879ffb0bf61edef7e9b90ddc5fac9770c514c0cdecd9a07b15e8a677e6f8f74",
"tlsh": "8ac08c8351e4a89704301773610ca995f2a1d26f0c840b0331f594844a396a93840fbb",
"path": "lib/const.js"
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/notifier-funcs/MAL-2026-10152.json"