MAL-2026-10418

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/note-utilities/MAL-2026-10418.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10418
Published
2026-07-13T06:49:02Z
Modified
2026-07-13T07:47:03.381885006Z
Summary
Malicious code in note-utilities (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4f093c8536c89f9d6c524ae212051fc45a5244d910afd8ee3abe30698f15b75d)

The package masquerades as a pino-style logger (keywords fast/logger/stream/json; lib/ contents copied from pinojs/pino) but ships an additional loader at lib/vcall.js. On require, index.js spawns a detached node lib/vcall.js child (detached + unref so it outlives the parent). vcall.js performs an HTTPS GET to https://api.jsonsilo.com/public/94b14d9d-6286-4b13-a7fe-8442e55a31b4, takes the returned data.model string, and passes it to Function.constructor("require", src) before invoking it with the real require. Any JavaScript the third-party JSON hosting endpoint returns runs in the installer's Node process with full module-loading access. The endpoint is attacker-mutable, and the pino-style logger surface is a cover story unrelated to the loader.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "2.1.2"
            ],
            "id": "IN-MAL-2026-009829",
            "import_time": "2026-07-13T07:40:11.582725819Z",
            "modified_time": "2026-07-13T06:49:02Z",
            "sha256": "4f093c8536c89f9d6c524ae212051fc45a5244d910afd8ee3abe30698f15b75d",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / note-utilities

Package

Affected ranges

Affected versions

2.*
2.1.2

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "11c4069edef394345e2c982d398e47837c4f987ec576c1d61ef6e68d39862ec8",
            "tlsh": "64f0a31e31f62168597360f59b4f1112b103d5263a0aeed673cc43410fa946a3bb7bd0",
            "path": "lib/vcall.js"
        },
        {
            "tlsh": "07f0ac4636f5a7a023249ec5fa0ae8372cc2c4317301ecb0d2ceb5e20743a6c86b74d8",
            "sha256": "a5746f11a2fd192d52377570a8abcf99976464fb3da13acbb494a13c4ab0ed57",
            "path": "index.js"
        },
        {
            "sha256": "d2b75054f373d943497eec64cadb9d37ab1d72a591bd7c4cce5eff42e94d57b1",
            "tlsh": "b3f0ff24cd789e6305ec65924c2a0243a6a19c176918fc2933e7611c4f9d5ff15ff26e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "note-utilities-2.1.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-K0JvWTznXNBEoJjw2KhQRRU4p11QkiPYN04kdQBrHehiOwnv9gsaTZR7j55/8JDN0qpc1zzJkaq/hGlIOGjauA==",
                "sha1": "ac3f5b02d80650092ca3f2f34f884e3e126d2d4d"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/note-utilities/MAL-2026-10418.json"