VYPR

npm · Malicious package advisory

Malware

notifier-log

MAL-2026-10153

Malicious code in notifier-log (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f4c2346bef8105dc24079ee47eb8cd65dbb92f7dbbd6d17ac0c576646878298c)
The package presents itself as a pino-compatible logger (main entry exports a middleware aliased as `pino`, and `lib/` contains pino-shaped files such as proto.js, redaction.js, multistream.js, transport.js), but its middleware spawns a detached child process running `lib/caller.js` which fetches a JSON blob from a hardcoded jsonkeeper.com paste, extracts a `.cookie` string, and passes it to `new Function.constructor('require', s)(require)`. This executes attacker-controlled JavaScript with full `require` access under the installer's Node process. A base64-encoded backup endpoint and secret header key are stored in `lib/const.js` (decoding to a second jsonkeeper.com paste URL with an `x-secret-key` header), providing a redundant delivery channel. Because jsonkeeper.com is a mutable public paste site, the served payload can be changed at any moment. The logger API is a cover story for the dropper.

Compromised versions (1)

  • 1.3.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.