npm · Malicious package advisory
Malwareunifydata
MAL-2026-6441
Malicious code in unifydata (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (0c62d93328810f03f3aac73777f406eee1b3413e1c3320eb87f3445754dba9d3)
On require('unifydata'), index.js calls initPlugin() at module top level, performs an HTTPS GET to https://jsonkeeper.com/b/B40HL, JSON-parses the response, and executes the response's `cookie` field as JavaScript via `new Function.constructor('require', body.cookie)` — then immediately invokes the resulting function with the real `require`, granting it full Node module-loading capability. jsonkeeper.com is an anonymous, author-mutable JSON paste service; the bytes executed in any installer process are whatever the author has posted there at the time of import, with no pinning, hashing, or signature. The package presents itself with a header comment labeling it `normalize-plus (ES6 safe version)` and ships a benign-looking `normalizePath` helper as a decoy, while the published package name is `unifydata` — the mislabeled cover and unused utility code are consistent with a dropper masquerading as a routine helper. Any process that imports this package executes arbitrary attacker-controlled code with the privileges of that process.
Compromised versions (1)
- 3.6.6
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.