VDB
KO

MAL-2026-10177

Malicious code in @jaymara/jsononifier (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ade6fb9a07c6f1417e9569af48b6c638bf12fba7540493b1b38a2d6ba42d101c) @jaymara/jsononifier@1.0.2 is advertised as a JSON formatting utility but ships a covert command-execution primitive that fires on require. index.js loads trigger.js, which checks for sandbox indicators (process.env.CI==='true', NODE_ENV==='test', existence of /.dockerenv) and the platform (win32); when those checks indicate a real Windows workstation, it schedules Executer.js via process.nextTick + setTimeout(5000). Executer.js XOR-decodes a byte array from payload.js using key 'xorkey123' and passes the resulting string to child_process.exec with { windowsHide: true }. payload.js openly comments the intent ('XOR-encoded command – not visible in source'). The current decoded value is a demo (calc.exe), but the mechanism — opaque encoded bytes decoded at runtime and handed to exec, gated to skip CI/test/Docker and only fire on real victim machines — is the attack: a future tarball can swap the byte array for any command without changing the visible code. None of this is required by, or consistent with, a JSON formatter.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / @jaymara/jsononifier

No fixed version published yet for @jaymara/jsononifier (npm). Pin to a known-safe version or switch to an alternative.

References