MAL-2026-10108
Malicious code in url-func-registry (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (3a4d96efb2897a3908596981acd2c0666cfd7445def91a32e02e2f95c9475ecf) url-func-registry@1.0.4 exposes a factory `createJsonService` (registered under key 'JsonS' in the public `getFunc` API) that fetches https://www.jsonkeeper.com/b/XVHGD — an anonymous, publicly-editable, author-mutable JSON hosting service — reads the `data` property from the response, and passes it to `new Function.constructor('require', data.data)` which is then invoked with the real `require` bound. This compiles and executes arbitrary JavaScript hosted at an author-controlled slug on a third-party paste service, giving whoever controls that slug full code execution in any consumer process that reaches the 'JsonS' factory. The package presents itself as a URL/singleton registry; remote code execution is not part of the documented behavior, and the `createJsonService` / 'JsonS' naming frames the sink as a benign JSON fetch. Because the payload is served from a mutable pastebin, the executed content can be swapped at any time without any package republish. The backdoor fires only when a consumer invokes the factory (not at install/import), but any downstream integration that iterates or looks up the registered factories will trigger it.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for url-func-registry (npm). Pin to a known-safe version or switch to an alternative.