-= Per source details. Do not edit below this line.=-
The package presents itself as a pino-compatible logging middleware (exports check as both default and pino named export) but its actual behavior on invocation is to spawn a detached Node child running lib/vcall.js, which fetches JavaScript from an IPFS gateway URL (https://emerald-accurate-urial-9.mypinata.cloud/ipfs/bafkreify2ijjvromekknzxzvqaopft6muwlpl37mvmpdeazwzzkbjzkuxm) and executes the response via new Function.constructor('require', src)(require), granting the remote payload full Node.js capabilities. The detached spawn is designed to survive parent exit. lib/const.js also ships base64-encoded strings (e.g. DEVAPIKEY decoding to https://jsonkeeper.com/b/ZK45J) referencing an anonymous paste-host endpoint consistent with additional staging. The logger-mimicking API surface and pino-shaped exports are a decoy for the remote-execution dropper: any consumer wiring this as Express middleware triggers arbitrary remote code execution on the host.
{
"malicious-packages-origins": [
{
"versions": [
"1.3.5"
],
"id": "IN-MAL-2026-009650",
"import_time": "2026-07-10T17:10:14.388700861Z",
"modified_time": "2026-07-10T16:46:45Z",
"sha256": "05def872b3ba2e02e9967fef76ccc5fbc0d316c4cd23b26146e1c7902d54bf7e",
"source": "amazon-inspector"
},
{
"sha256": "9b65341bde476af6b80e1fbaa9f9a844b7fdc023ef02f5fabb88514d88012159",
"id": "IN-MAL-2026-009652",
"import_time": "2026-07-10T17:10:14.541660452Z",
"versions": [
"1.3.6"
],
"modified_time": "2026-07-10T16:47:04Z",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "ad035bfc06479ed046ec4f1ba6f340fdbf66fac5d30a1d1a7dd0f6fbe49779b6",
"tlsh": "f701b14a36b2715547de68d2950f49012cd3e2623607d4f07bccb3ca0fe2454cba3294",
"path": "index.js"
},
{
"tlsh": "df019720ce788e2300ed25924c2a0283b6618c175928fc2932eb512c4f9d5bf01ff12d",
"sha256": "f7e4d4d9f5f7e44d8ef858051e5132baa498af745164485c6fdbc7550192fa92",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "notify-funcs-1.3.5.tgz",
"hashes": {
"sha512_sri": "sha512-xd0l+IkWVxYTExpHjD5ZqDeC/qtwWxs9QtA4Fk/EWvZfHGz1GHrDrNHJxGNFWx0t5aFzjFwlEoVzUkZ9SIR6Sg==",
"sha1": "f9dd2c36fb26af3c5d296b47cdb5e5d011fe59c1"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/notify-funcs/MAL-2026-10155.json"