VDB
EN

MAL-2026-10154

Malicious code in notify-dist (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1cf89f8fbe4c3f9ae9494077688977f46c8b3f875a552054508ac5eec7b62344) notify-dist advertises itself as a pino-compatible logger/middleware (exports `module.exports.pino`, keywords fast/logger/stream/json, lib/ mirrors pino internals such as proto.js, multistream.js, redaction.js, transport.js), but the exported middleware's only side effect is to launch a remote-code loader. When a consumer requires the package and invokes the exported middleware, index.js spawns `node lib/caller.js` as a detached child with `stdio: 'ignore'` and `child.unref()` so the loader survives after the parent exits. lib/caller.js issues an HTTP GET to https://jsonkeeper.com/b/BPB86 via axios, reads the `.cookie` field of the response, and executes it as JavaScript via `new Function.constructor('require', s)(require)`, giving the fetched code full Node privileges including `require`. The loader retries up to 5 times and silences console.log to hide activity. lib/const.js additionally holds base64-encoded fields that decode to a second endpoint (https://jsonkeeper.com/b/ZK45J) and header name `x-secret-key`, serving as a rotation/backup payload URL. jsonkeeper.com is a mutable third-party JSON paste host, so the executed code is fully attacker-controlled and can change at any time. The pino-shaped API surface is a lure: consumers importing this expecting logger behavior get arbitrary remote code execution on their machine.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / notify-dist

No fixed version published yet for notify-dist (npm). Pin to a known-safe version or switch to an alternative.

참고