MAL-2026-10158
Malicious code in notify-utilities (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (25536516e16cffdc7ad2891886d7dcf32ad325b9ba79c2359026809bcfbf417f) Package published as notify-utilities masquerades as the pino logger (package.json description, keywords, and index.d.ts are copied from pino; the exported factory is named `pino`). When a consumer requires the package and invokes the exported factory, index.js spawns lib/vcall.js as a detached, unref'd Node child process. That child performs `axios.get('https://api.jsonsilo.com/public/df71fd55-4f0c-4326-9b5b-a285e38023a5')`, extracts `response.data.model` as a JavaScript source string, constructs a function from it via `new Function.constructor('require', src)`, and invokes the resulting handler with the live `require`, giving the fetched code full module-loading access inside the installer's Node process. The remote source is a third-party JSON storage service under attacker control; the fetched content is mutable and not tied to any publisher signature or version pin. The detached+unref child pattern is used to keep the fetch-and-eval alive after the factory's synchronous return, hiding the ongoing remote execution from the calling process.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for notify-utilities (npm). Pin to a known-safe version or switch to an alternative.