MAL-2026-10177

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@jaymara/jsononifier/MAL-2026-10177.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10177
Published
2026-07-10T21:29:35Z
Modified
2026-07-10T22:01:48.804277166Z
Summary
Malicious code in @jaymara/jsononifier (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ade6fb9a07c6f1417e9569af48b6c638bf12fba7540493b1b38a2d6ba42d101c)

@jaymara/jsononifier@1.0.2 is advertised as a JSON formatting utility but ships a covert command-execution primitive that fires on require. index.js loads trigger.js, which checks for sandbox indicators (process.env.CI==='true', NODEENV==='test', existence of /.dockerenv) and the platform (win32); when those checks indicate a real Windows workstation, it schedules Executer.js via process.nextTick + setTimeout(5000). Executer.js XOR-decodes a byte array from payload.js using key 'xorkey123' and passes the resulting string to childprocess.exec with { windowsHide: true }. payload.js openly comments the intent ('XOR-encoded command – not visible in source'). The current decoded value is a demo (calc.exe), but the mechanism — opaque encoded bytes decoded at runtime and handed to exec, gated to skip CI/test/Docker and only fire on real victim machines — is the attack: a future tarball can swap the byte array for any command without changing the visible code. None of this is required by, or consistent with, a JSON formatter.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "7d4826185eb8033f7f55a85e760d0acb0425b463ce1ec95af4c1ae9f6d2ce05b",
            "id": "IN-MAL-2026-009717",
            "import_time": "2026-07-10T21:50:33.089783497Z",
            "modified_time": "2026-07-10T21:29:53Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.0.2"
            ],
            "id": "IN-MAL-2026-009715",
            "import_time": "2026-07-10T21:50:32.787378748Z",
            "modified_time": "2026-07-10T21:29:35Z",
            "sha256": "ade6fb9a07c6f1417e9569af48b6c638bf12fba7540493b1b38a2d6ba42d101c",
            "source": "amazon-inspector"
        },
        {
            "versions": [
                "1.0.1"
            ],
            "id": "IN-MAL-2026-009716",
            "import_time": "2026-07-10T21:50:32.951506235Z",
            "modified_time": "2026-07-10T21:29:46Z",
            "sha256": "bad937211c6f3e71e5b1d13c7d85c5c7188db6fd5df39ec3d1216668e3b6a009",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / @jaymara/jsononifier

Package

Name
@jaymara/jsononifier
View open source insights on deps.dev
Purl
pkg:npm/%40jaymara/jsononifier

Affected ranges

Affected versions

1.*
1.0.0
1.0.1
1.0.2

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "jsononifier-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-bfebzd/Z6wvIKataAAAPyvwmKyU5XEuf/hPYjVkMkDHIQaAny/R+cJXquxJC84Ov/BchJOyqUEjmni8OUZz//w==",
                "sha1": "7edf5a5bfb76b8d7c37354078fc83053b6c31f9a"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "1ae07d41c9e1e08a3c6865e9dcd4c26257d6da0d380aa193e9c443e129c2cc80b32f79",
            "sha256": "57beb8d9e87117a970ba48b458621c41ff8ec59456bd89af5d3f836679d5675d",
            "path": "index.js"
        },
        {
            "tlsh": "73f0e574853159730ac8b9a69deac14775664e4f4184bc0a67d3006c438eaaa05ff32d",
            "sha256": "9cd202b0bf5c652512584cdbe56f30f35fb722eb2bfdc2c8db9c26d753f13330",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@jaymara/jsononifier/MAL-2026-10177.json"