MAL-2026-10155

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/notify-funcs/MAL-2026-10155.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10155
Published
2026-07-10T16:46:45Z
Modified
2026-07-10T17:17:00.938120755Z
Summary
Malicious code in notify-funcs (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9b65341bde476af6b80e1fbaa9f9a844b7fdc023ef02f5fabb88514d88012159)

The package presents itself as a pino-compatible logging middleware (exports check as both default and pino named export) but its actual behavior on invocation is to spawn a detached Node child running lib/vcall.js, which fetches JavaScript from an IPFS gateway URL (https://emerald-accurate-urial-9.mypinata.cloud/ipfs/bafkreify2ijjvromekknzxzvqaopft6muwlpl37mvmpdeazwzzkbjzkuxm) and executes the response via new Function.constructor('require', src)(require), granting the remote payload full Node.js capabilities. The detached spawn is designed to survive parent exit. lib/const.js also ships base64-encoded strings (e.g. DEVAPIKEY decoding to https://jsonkeeper.com/b/ZK45J) referencing an anonymous paste-host endpoint consistent with additional staging. The logger-mimicking API surface and pino-shaped exports are a decoy for the remote-execution dropper: any consumer wiring this as Express middleware triggers arbitrary remote code execution on the host.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.3.5"
            ],
            "id": "IN-MAL-2026-009650",
            "import_time": "2026-07-10T17:10:14.388700861Z",
            "modified_time": "2026-07-10T16:46:45Z",
            "sha256": "05def872b3ba2e02e9967fef76ccc5fbc0d316c4cd23b26146e1c7902d54bf7e",
            "source": "amazon-inspector"
        },
        {
            "sha256": "9b65341bde476af6b80e1fbaa9f9a844b7fdc023ef02f5fabb88514d88012159",
            "id": "IN-MAL-2026-009652",
            "import_time": "2026-07-10T17:10:14.541660452Z",
            "versions": [
                "1.3.6"
            ],
            "modified_time": "2026-07-10T16:47:04Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / notify-funcs

Package

Affected ranges

Affected versions

1.*
1.3.5
1.3.6

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "ad035bfc06479ed046ec4f1ba6f340fdbf66fac5d30a1d1a7dd0f6fbe49779b6",
            "tlsh": "f701b14a36b2715547de68d2950f49012cd3e2623607d4f07bccb3ca0fe2454cba3294",
            "path": "index.js"
        },
        {
            "tlsh": "df019720ce788e2300ed25924c2a0283b6618c175928fc2932eb512c4f9d5bf01ff12d",
            "sha256": "f7e4d4d9f5f7e44d8ef858051e5132baa498af745164485c6fdbc7550192fa92",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "notify-funcs-1.3.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-xd0l+IkWVxYTExpHjD5ZqDeC/qtwWxs9QtA4Fk/EWvZfHGz1GHrDrNHJxGNFWx0t5aFzjFwlEoVzUkZ9SIR6Sg==",
                "sha1": "f9dd2c36fb26af3c5d296b47cdb5e5d011fe59c1"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/notify-funcs/MAL-2026-10155.json"