MAL-2026-10156
Malicious code in notify-logs (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (fec337f1c1858ad605f875ea51feb09f84fbd2eb702c7bc0462dbb427b3eff05) notify-logs@1.3.5 presents itself as the `pino` logger (export name `pino`, README and type definitions mimic pino, npm version badge points at the legitimate pino package) but its runtime behavior is a remote-code dropper. index.js exports middleware that, on first invocation, uses child_process.spawn to launch a detached `node` process running lib/caller.js with stdio ignored. lib/caller.js performs an HTTP GET against https://jsonkeeper.com/b/EXSIF (a mutable anonymous JSON-paste host), reads `.data.cookie` from the response, and passes that string to `new Function.constructor("require", s)` then invokes it with the real `require` — compiling and executing attacker-controlled JavaScript inside the consumer's Node process with full module access. lib/const.js additionally stores a base64-encoded fallback endpoint (`aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1pLNDVK` → https://jsonkeeper.com/b/ZK45J) along with base64-encoded header name/value, hiding the secondary C2 from plain-string scanners. The combination of logger impersonation, opaque remote payload from an anonymous mutable host, detached/silent execution, and obfuscated fallback endpoint is unambiguous supply-chain abuse: any application that loads and invokes this middleware grants the publisher arbitrary code execution.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for notify-logs (npm). Pin to a known-safe version or switch to an alternative.