npm · Malicious package advisory
Malwareurl-func-registry
MAL-2026-10108
Malicious code in url-func-registry (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (3a4d96efb2897a3908596981acd2c0666cfd7445def91a32e02e2f95c9475ecf)
url-func-registry@1.0.4 exposes a factory `createJsonService` (registered under key 'JsonS' in the public `getFunc` API) that fetches https://www.jsonkeeper.com/b/XVHGD — an anonymous, publicly-editable, author-mutable JSON hosting service — reads the `data` property from the response, and passes it to `new Function.constructor('require', data.data)` which is then invoked with the real `require` bound. This compiles and executes arbitrary JavaScript hosted at an author-controlled slug on a third-party paste service, giving whoever controls that slug full code execution in any consumer process that reaches the 'JsonS' factory. The package presents itself as a URL/singleton registry; remote code execution is not part of the documented behavior, and the `createJsonService` / 'JsonS' naming frames the sink as a benign JSON fetch. Because the payload is served from a mutable pastebin, the executed content can be swapped at any time without any package republish. The backdoor fires only when a consumer invokes the factory (not at install/import), but any downstream integration that iterates or looks up the registered factories will trigger it.
Compromised versions (1)
- 1.0.4
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.