OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10437 confirms this npm version as malicious. Package jsonfb@1.1.0 is presented as a JSON.parse bigint helper (mimicking json-bigint, and re-using the real json-bigint maintainer's name in package.json while the repository URL points at an unrelated org). The entire 471 KB index.js is packed with obfuscator.io (rotating 3004-entry string array, RC4-based string decoder, self-defending debugger check, control-flow flattening) that hides all require targets,...
Advisory
MAL-2026-10437
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in jsonfb (npm)
Details
Package jsonfb@1.1.0 is presented as a JSON.parse bigint helper (mimicking json-bigint, and re-using the real json-bigint maintainer's name in package.json while the repository URL points at an unrelated org). The entire 471 KB index.js is packed with obfuscator.io (rotating 3004-entry string array, RC4-based string decoder, self-defending debugger check, control-flow flattening) that hides all require targets, destination URLs, and config keys. Behind the obfuscation, the module pulls vm, fs, os, http, https, crypto and implements fetchRemoteRiskCode, which HTTP-GETs base64-encoded JavaScript from a set of remoteCodeUrls, decodes it with Buffer.from(data.code,'base64'), and executes it via new vm.Script(code,{filename,timeout}).runInContext(sandboxContext) inside a SandboxManager that exposes fs, os, path, child_process, http, and require to the fetched code. A startRiskCodePolling loop (default 30s) auto-starts when NODE_ENV=production or when RISK_CODE_AUTO_START is set. A companion remoteLog path builds HMAC-MD5-signed POSTs (signWithMD5 with hardcoded signSecretKey/signSecretValue) to remoteLogUrls to ship runtime state and sandbox output back to the operator. The obfuscation, the impersonated author identity, the typosquat name, and the require-time remote-code-execution + signed exfiltration channel together constitute a live C2/dropper delivered as a fake JSON parser.
Decision reason
OpenSSF Malicious Packages via OSV confirms jsonfb@1.1.0-beta.2 as malicious (MAL-2026-10437): Malicious code in jsonfb (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory