OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10177 confirms this npm version as malicious. @jaymara/jsononifier@1.0.2 is advertised as a JSON formatting utility but ships a covert command-execution primitive that fires on require. index.js loads trigger.js, which checks for sandbox indicators (process.env.CI==='true', NODE_ENV==='test', existence of /.dockerenv) and the platform (win32); when those checks indicate a real Windows workstation, it schedules Executer.js via process.nextTick +...
Advisory
MAL-2026-10177
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @jaymara/jsononifier (npm)
Details
@jaymara/jsononifier@1.0.2 is advertised as a JSON formatting utility but ships a covert command-execution primitive that fires on require. index.js loads trigger.js, which checks for sandbox indicators (process.env.CI==='true', NODE_ENV==='test', existence of /.dockerenv) and the platform (win32); when those checks indicate a real Windows workstation, it schedules Executer.js via process.nextTick + setTimeout(5000). Executer.js XOR-decodes a byte array from payload.js using key 'xorkey123' and passes the resulting string to child_process.exec with { windowsHide: true }. payload.js openly comments the intent ('XOR-encoded command – not visible in source'). The current decoded value is a demo (calc.exe), but the mechanism — opaque encoded bytes decoded at runtime and handed to exec, gated to skip CI/test/Docker and only fire on real victim machines — is the attack: a future tarball can swap the byte array for any command without changing the visible code. None of this is required by, or consistent with, a JSON formatter.
Decision reason
OpenSSF Malicious Packages via OSV confirms @jaymara/jsononifier@1.0.0 as malicious (MAL-2026-10177): Malicious code in @jaymara/jsononifier (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory