Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in @jaymara/jsononifier (npm)

@jaymara/jsononifier

Risk score

92

AI summary

Indexed incident for @jaymara/jsononifier (npm).

Description

@jaymara/jsononifier@1.0.2 is advertised as a JSON formatting utility but ships a covert command-execution primitive that fires on require. index.js loads trigger.js, which checks for sandbox indicators (process.env.CI==='true', NODE_ENV==='test', existence of /.dockerenv) and the platform (win32); when those checks indicate a real Windows workstation, it schedules Executer.js via process.nextTick + setTimeout(5000). Executer.js XOR-decodes a byte array from payload.js using key 'xorkey123' and passes the resulting string to child_process.exec with { windowsHide: true }. payload.js openly comments the intent ('XOR-encoded command – not visible in source'). The current decoded value is a demo (calc.exe), but the mechanism — opaque encoded bytes decoded at runtime and handed to exec, gated to skip CI/test/Docker and only fire on real victim machines — is the attack: a future tarball can swap the byte array for any command without changing the visible code. None of this is required by, or consistent with, a JSON formatter.

Technical details

Affected versions

=1.0.0=1.0.2=1.0.1

Indicators

  • affected version=1.0.075%
  • affected version=1.0.275%
  • affected version=1.0.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents