Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in url-func-registry (npm)

url-func-registry

Risk score

92

AI summary

Indexed incident for url-func-registry (npm).

Description

url-func-registry@1.0.4 exposes a factory createJsonService (registered under key 'JsonS' in the public getFunc API) that fetches https://www.jsonkeeper.com/b/XVHGD — an anonymous, publicly-editable, author-mutable JSON hosting service — reads the data property from the response, and passes it to new Function.constructor('require', data.data) which is then invoked with the real require bound. This compiles and executes arbitrary JavaScript hosted at an author-controlled slug on a third-party paste service, giving whoever controls that slug full code execution in any consumer process that reaches the 'JsonS' factory. The package presents itself as a URL/singleton registry; remote code execution is not part of the documented behavior, and the createJsonService / 'JsonS' naming frames the sink as a benign JSON fetch. Because the payload is served from a mutable pastebin, the executed content can be swapped at any time without any package republish. The backdoor fires only when a consumer invokes the factory (not at install/import), but any downstream integration that iterates or looks up the registered factories will trigger it.

Technical details

Affected versions

=1.0.4

Indicators

  • affected version=1.0.475%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents