-= Per source details. Do not edit below this line.=-
Package jsonfb@1.1.0 is presented as a JSON.parse bigint helper (mimicking json-bigint, and re-using the real json-bigint maintainer's name in package.json while the repository URL points at an unrelated org). The entire 471 KB index.js is packed with obfuscator.io (rotating 3004-entry string array, RC4-based string decoder, self-defending debugger check, control-flow flattening) that hides all require targets, destination URLs, and config keys. Behind the obfuscation, the module pulls vm, fs, os, http, https, crypto and implements fetchRemoteRiskCode, which HTTP-GETs base64-encoded JavaScript from a set of remoteCodeUrls, decodes it with Buffer.from(data.code,'base64'), and executes it via new vm.Script(code,{filename,timeout}).runInContext(sandboxContext) inside a SandboxManager that exposes fs, os, path, childprocess, http, and require to the fetched code. A startRiskCodePolling loop (default 30s) auto-starts when NODEENV=production or when RISKCODEAUTO_START is set. A companion remoteLog path builds HMAC-MD5-signed POSTs (signWithMD5 with hardcoded signSecretKey/signSecretValue) to remoteLogUrls to ship runtime state and sandbox output back to the operator. The obfuscation, the impersonated author identity, the typosquat name, and the require-time remote-code-execution + signed exfiltration channel together constitute a live C2/dropper delivered as a fake JSON parser.
{
"malicious-packages-origins": [
{
"sha256": "7fc07bf73ed684a1d555baa4dc6cadcd170bde4da4779ef62c0dd3f9cf02c99a",
"id": "IN-MAL-2026-010174",
"import_time": "2026-07-13T10:37:34.826441672Z",
"modified_time": "2026-07-13T09:17:31Z",
"versions": [
"1.1.0"
],
"source": "amazon-inspector"
},
{
"sha256": "98848bd28a5e3618e7db4e91a9186f70be344122f20a963317063ca52badd0b3",
"id": "IN-MAL-2026-010177",
"import_time": "2026-07-13T10:37:35.080466974Z",
"modified_time": "2026-07-13T09:17:54Z",
"versions": [
"1.1.0-beta.1"
],
"source": "amazon-inspector"
},
{
"sha256": "cc9554116a6b3a8cb431a21bbfe2f603f8ace900d2f7da8aac59178461157c4f",
"id": "IN-MAL-2026-010178",
"import_time": "2026-07-13T10:37:35.16099686Z",
"modified_time": "2026-07-13T09:18:02Z",
"versions": [
"1.1.0-beta.2"
],
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "jsonfb-1.1.0-beta.1.tgz",
"hashes": {
"sha512_sri": "sha512-lNBIS+g1L2vU1l6jjrXG4lGrctxDUJ9Ku3RzyAk5uUn3M3jvZV9tXSm+ik879K1xcrOOfxrdoM+FzU/8LiZPSg==",
"sha1": "095b89d4544d5c6fdaed3c138320f9a7825614a4"
}
}
],
"evidence_files": [
{
"sha256": "57f0f45bba6668ed3e98cbd6ea939501f03d5ca248f00489b5629d67d46f0ac6",
"tlsh": "89a4c19467c0e40762cf0b53ff06bae9e56ba9b674c8a8478664799d25bc107c1f0ef0",
"path": "index.js"
},
{
"sha256": "776be8428a91158eef4e02cb7cfde8051e4a863708dbb5d85b6e3fd4293504e6",
"tlsh": "cef0e230c174aea30add6b90ac9a2846a9434c679894fc283793111d9fee52f55fd2bc",
"path": "package.json"
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/jsonfb/MAL-2026-10437.json"