Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in notifier-funcs (npm)

notifier-funcs

Risk score

92

AI summary

Indexed incident for notifier-funcs (npm).

Description

On require, index.js spawns a detached Node child (spawn('node', [...], {detached:true, stdio:'inherit'}); child.unref()) that runs lib/vcall.js. That script fetches JavaScript from the hardcoded endpoint https://api.jsonsilo.com/public/c6c0b393-932f-4ae1-8fca-23c6747f4acc via axios, extracts the.data.model field, and executes it through Function.constructor(...)('require',...), yielding arbitrary code execution on the installer's machine controlled by whoever manages that endpoint. lib/const.js also carries a base64-encoded secondary endpoint decoding to https://jsonkeeper.com/b/ZK45J. The package presents itself as a pino-style logger but ships no such functionality; the exported surface is a cover for the remote-fetch-and-eval behavior. The remote source is a mutable third-party JSON hosting service whose content can be swapped at any time, and the detached-child pattern hides the payload from the parent process.

Technical details

Affected versions

=1.3.4

Indicators

  • affected version=1.3.475%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents