MAL-2026-10152
Malicious code in notifier-funcs (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (4da033e00206575ad1328031d625b6c6281332e9ecf5514feae6e99cb285d021) On require, index.js spawns a detached Node child (spawn('node', [...], {detached:true, stdio:'inherit'}); child.unref()) that runs lib/vcall.js. That script fetches JavaScript from the hardcoded endpoint https://api.jsonsilo.com/public/c6c0b393-932f-4ae1-8fca-23c6747f4acc via axios, extracts the.data.model field, and executes it through Function.constructor(...)('require',...), yielding arbitrary code execution on the installer's machine controlled by whoever manages that endpoint. lib/const.js also carries a base64-encoded secondary endpoint decoding to https://jsonkeeper.com/b/ZK45J. The package presents itself as a pino-style logger but ships no such functionality; the exported surface is a cover for the remote-fetch-and-eval behavior. The remote source is a mutable third-party JSON hosting service whose content can be swapped at any time, and the detached-child pattern hides the payload from the parent process.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for notifier-funcs (npm). Pin to a known-safe version or switch to an alternative.