MAL-2026-10155
Malicious code in notify-funcs (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (9b65341bde476af6b80e1fbaa9f9a844b7fdc023ef02f5fabb88514d88012159) The package presents itself as a pino-compatible logging middleware (exports `check` as both default and `pino` named export) but its actual behavior on invocation is to spawn a detached Node child running lib/vcall.js, which fetches JavaScript from an IPFS gateway URL (https://emerald-accurate-urial-9.mypinata.cloud/ipfs/bafkreify2ijjvromekknzxzvqaopft6muwlpl37mvmpdeazwzzkbjzkuxm) and executes the response via `new Function.constructor('require', src)(require)`, granting the remote payload full Node.js capabilities. The detached spawn is designed to survive parent exit. lib/const.js also ships base64-encoded strings (e.g. DEV_API_KEY decoding to https://jsonkeeper.com/b/ZK45J) referencing an anonymous paste-host endpoint consistent with additional staging. The logger-mimicking API surface and pino-shaped exports are a decoy for the remote-execution dropper: any consumer wiring this as Express middleware triggers arbitrary remote code execution on the host.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for notify-funcs (npm). Pin to a known-safe version or switch to an alternative.