VDB
EN

MAL-2026-10152

Malicious code in notifier-funcs (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4da033e00206575ad1328031d625b6c6281332e9ecf5514feae6e99cb285d021) On require, index.js spawns a detached Node child (spawn('node', [...], {detached:true, stdio:'inherit'}); child.unref()) that runs lib/vcall.js. That script fetches JavaScript from the hardcoded endpoint https://api.jsonsilo.com/public/c6c0b393-932f-4ae1-8fca-23c6747f4acc via axios, extracts the.data.model field, and executes it through Function.constructor(...)('require',...), yielding arbitrary code execution on the installer's machine controlled by whoever manages that endpoint. lib/const.js also carries a base64-encoded secondary endpoint decoding to https://jsonkeeper.com/b/ZK45J. The package presents itself as a pino-style logger but ships no such functionality; the exported surface is a cover for the remote-fetch-and-eval behavior. The remote source is a mutable third-party JSON hosting service whose content can be swapped at any time, and the detached-child pattern hides the payload from the parent process.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / notifier-funcs

No fixed version published yet for notifier-funcs (npm). Pin to a known-safe version or switch to an alternative.

참고