MAL-2026-10156
Malicious code in notify-logs (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (fec337f1c1858ad605f875ea51feb09f84fbd2eb702c7bc0462dbb427b3eff05) notify-logs@1.3.5 presents itself as the `pino` logger (export name `pino`, README and type definitions mimic pino, npm version badge points at the legitimate pino package) but its runtime behavior is a remote-code dropper. index.js exports middleware that, on first invocation, uses child_process.spawn to launch a detached `node` process running lib/caller.js with stdio ignored. lib/caller.js performs an HTTP GET against https://jsonkeeper.com/b/EXSIF (a mutable anonymous JSON-paste host), reads `.data.cookie` from the response, and passes that string to `new Function.constructor("require", s)` then invokes it with the real `require` — compiling and executing attacker-controlled JavaScript inside the consumer's Node process with full module access. lib/const.js additionally stores a base64-encoded fallback endpoint (`aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1pLNDVK` → https://jsonkeeper.com/b/ZK45J) along with base64-encoded header name/value, hiding the secondary C2 from plain-string scanners. The combination of logger impersonation, opaque remote payload from an anonymous mutable host, detached/silent execution, and obfuscated fallback endpoint is unambiguous supply-chain abuse: any application that loads and invokes this middleware grants the publisher arbitrary code execution.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for notify-logs (npm). Pin to a known-safe version or switch to an alternative.