MAL-2026-10158
Malicious code in notify-utilities (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (25536516e16cffdc7ad2891886d7dcf32ad325b9ba79c2359026809bcfbf417f) Package published as notify-utilities masquerades as the pino logger (package.json description, keywords, and index.d.ts are copied from pino; the exported factory is named `pino`). When a consumer requires the package and invokes the exported factory, index.js spawns lib/vcall.js as a detached, unref'd Node child process. That child performs `axios.get('https://api.jsonsilo.com/public/df71fd55-4f0c-4326-9b5b-a285e38023a5')`, extracts `response.data.model` as a JavaScript source string, constructs a function from it via `new Function.constructor('require', src)`, and invokes the resulting handler with the live `require`, giving the fetched code full module-loading access inside the installer's Node process. The remote source is a third-party JSON storage service under attacker control; the fetched content is mutable and not tied to any publisher signature or version pin. The detached+unref child pattern is used to keep the fetch-and-eval alive after the factory's synchronous return, hiding the ongoing remote execution from the calling process.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for notify-utilities (npm). Pin to a known-safe version or switch to an alternative.