VDB
KO

MAL-2026-10108

Malicious code in url-func-registry (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3a4d96efb2897a3908596981acd2c0666cfd7445def91a32e02e2f95c9475ecf) url-func-registry@1.0.4 exposes a factory `createJsonService` (registered under key 'JsonS' in the public `getFunc` API) that fetches https://www.jsonkeeper.com/b/XVHGD — an anonymous, publicly-editable, author-mutable JSON hosting service — reads the `data` property from the response, and passes it to `new Function.constructor('require', data.data)` which is then invoked with the real `require` bound. This compiles and executes arbitrary JavaScript hosted at an author-controlled slug on a third-party paste service, giving whoever controls that slug full code execution in any consumer process that reaches the 'JsonS' factory. The package presents itself as a URL/singleton registry; remote code execution is not part of the documented behavior, and the `createJsonService` / 'JsonS' naming frames the sink as a benign JSON fetch. Because the payload is served from a mutable pastebin, the executed content can be swapped at any time without any package republish. The backdoor fires only when a consumer invokes the factory (not at install/import), but any downstream integration that iterates or looks up the registered factories will trigger it.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / url-func-registry

No fixed version published yet for url-func-registry (npm). Pin to a known-safe version or switch to an alternative.

References