MAL-2026-10153
Malicious code in notifier-log (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (f4c2346bef8105dc24079ee47eb8cd65dbb92f7dbbd6d17ac0c576646878298c) The package presents itself as a pino-compatible logger (main entry exports a middleware aliased as `pino`, and `lib/` contains pino-shaped files such as proto.js, redaction.js, multistream.js, transport.js), but its middleware spawns a detached child process running `lib/caller.js` which fetches a JSON blob from a hardcoded jsonkeeper.com paste, extracts a `.cookie` string, and passes it to `new Function.constructor('require', s)(require)`. This executes attacker-controlled JavaScript with full `require` access under the installer's Node process. A base64-encoded backup endpoint and secret header key are stored in `lib/const.js` (decoding to a second jsonkeeper.com paste URL with an `x-secret-key` header), providing a redundant delivery channel. Because jsonkeeper.com is a mutable public paste site, the served payload can be changed at any moment. The logger API is a cover story for the dropper.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for notifier-log (npm). Pin to a known-safe version or switch to an alternative.