MAL-2026-10157

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/notify-theme/MAL-2026-10157.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10157
Published
2026-07-10T16:47:11Z
Modified
2026-07-10T17:17:00.918850192Z
Summary
Malicious code in notify-theme (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d9cbb2ac45124e3844e29f3efd70ca26f0089ec4eaad718bcbdaf3035ec9b34b)

The package impersonates the pino logger API (exports module.exports.pino = middleware, ships pino-style files such as lib/proto.js, lib/multistream.js, lib/transport.js, and declares logger-oriented keywords) while its actual behavior is a remote-code dropper. When a consumer imports and invokes the exported middleware, index.js spawns a detached Node child running lib/caller.js, which HTTP-GETs https://jsonkeeper.com/b/K80JD and passes the response body to new Function.constructor('require', s), then invokes it with the host process's require — granting the remote endpoint arbitrary code execution inside the installer's Node process with full module access. lib/caller.js disguises the destination by shadowing process with a local object whose env fields (APIKEY, SECRETKEY, SECRET_VALUE) actually hold the C2 URL and header pair. lib/const.js contains a base64-encoded backup endpoint that decodes to https://jsonkeeper.com/b/ZK45J. jsonkeeper.com is an anonymous, author-mutable paste host, so the executed payload can change at any time without a package update. The pino-API impersonation on an unrelated package name (notify-theme) is a lure so that developers looking for a logger trigger the dropper.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "7d239abc86d6b02bdc5f88d30fca94ca60124df408762b77df76af4ca4cc5805",
            "id": "IN-MAL-2026-009654",
            "import_time": "2026-07-10T17:10:14.70376137Z",
            "modified_time": "2026-07-10T16:47:18Z",
            "versions": [
                "1.3.5"
            ],
            "source": "amazon-inspector"
        },
        {
            "sha256": "a357a8e0ad89f5ad9c14920eecd04d2c1d13e1dfd2ec9399980fe95127f584f4",
            "id": "IN-MAL-2026-009653",
            "modified_time": "2026-07-10T16:47:11Z",
            "versions": [
                "1.3.6"
            ],
            "import_time": "2026-07-10T17:10:14.61743519Z",
            "source": "amazon-inspector"
        },
        {
            "sha256": "d9cbb2ac45124e3844e29f3efd70ca26f0089ec4eaad718bcbdaf3035ec9b34b",
            "id": "IN-MAL-2026-009658",
            "import_time": "2026-07-10T17:10:15.302385316Z",
            "modified_time": "2026-07-10T16:47:57Z",
            "versions": [
                "1.3.7"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / notify-theme

Package

Affected ranges

Affected versions

1.*
1.3.5
1.3.6
1.3.7

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "c94c68398967a72596733d62b40d3b2df9490056a3b25bfd96333d0a88d84624",
            "tlsh": "e701cb8f30fd101c019122e66b1fe4327010e85b390ae4d4374c87521ffa5aeaa53ede",
            "path": "lib/caller.js"
        },
        {
            "tlsh": "30213f8175f111480658d9c8b569e5363ce3c4377207b9b0e9ecb7862bcf20c0272ad7",
            "sha256": "32e82853dd646aac388b78f868241267a5e6483d847df3d4c843f8100590d469",
            "path": "index.js"
        },
        {
            "sha256": "9879ffb0bf61edef7e9b90ddc5fac9770c514c0cdecd9a07b15e8a677e6f8f74",
            "tlsh": "8ac08c8351e4a89704301773610ca995f2a1d26f0c840b0331f594844a396a93840fbb",
            "path": "lib/const.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "notify-theme-1.3.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-cmOshcwbdMb8SNWoyj01eH5bGZdzngqOqEM148lVOaI6GXiJRy0HGHzm5pOFtVGDazLj+QPPX4lunRIFPhTCaA==",
                "sha1": "f1e91ad29b3eeac42e378417b0638b1e6294b546"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/notify-theme/MAL-2026-10157.json"