-= Per source details. Do not edit below this line.=-
The package presents itself as a pino-compatible logger (main entry exports a middleware aliased as pino, and lib/ contains pino-shaped files such as proto.js, redaction.js, multistream.js, transport.js), but its middleware spawns a detached child process running lib/caller.js which fetches a JSON blob from a hardcoded jsonkeeper.com paste, extracts a .cookie string, and passes it to new Function.constructor('require', s)(require). This executes attacker-controlled JavaScript with full require access under the installer's Node process. A base64-encoded backup endpoint and secret header key are stored in lib/const.js (decoding to a second jsonkeeper.com paste URL with an x-secret-key header), providing a redundant delivery channel. Because jsonkeeper.com is a mutable public paste site, the served payload can be changed at any moment. The logger API is a cover story for the dropper.
{
"malicious-packages-origins": [
{
"sha256": "f4c2346bef8105dc24079ee47eb8cd65dbb92f7dbbd6d17ac0c576646878298c",
"id": "IN-MAL-2026-009649",
"import_time": "2026-07-10T17:10:14.265302954Z",
"modified_time": "2026-07-10T16:46:36Z",
"versions": [
"1.3.5"
],
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "c94c68398967a72596733d62b40d3b2df9490056a3b25bfd96333d0a88d84624",
"tlsh": "e701cb8f30fd101c019122e66b1fe4327010e85b390ae4d4374c87521ffa5aeaa53ede",
"path": "lib/caller.js"
},
{
"sha256": "32e82853dd646aac388b78f868241267a5e6483d847df3d4c843f8100590d469",
"tlsh": "30213f8175f111480658d9c8b569e5363ce3c4377207b9b0e9ecb7862bcf20c0272ad7",
"path": "index.js"
},
{
"sha256": "9879ffb0bf61edef7e9b90ddc5fac9770c514c0cdecd9a07b15e8a677e6f8f74",
"tlsh": "8ac08c8351e4a89704301773610ca995f2a1d26f0c840b0331f594844a396a93840fbb",
"path": "lib/const.js"
}
],
"package_integrity": [
{
"filename": "notifier-log-1.3.5.tgz",
"hashes": {
"sha512_sri": "sha512-mrBngV/OZyxmTEc/GS90RuK3DAKy5K7tS3tfPR9mYVAsQwY2lhqBFFSuMVqDSRFJIoHCh/UiuDdjfb0AUV1fHQ==",
"sha1": "96b24e2f513daab0bd05464190d041c7dffe4a38"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/notifier-log/MAL-2026-10153.json"