registry  /  notifier-log  /  1.3.5

notifier-log@1.3.5

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10153 confirms this npm version as malicious. The package presents itself as a pino-compatible logger (main entry exports a middleware aliased as `pino`, and `lib/` contains pino-shaped files such as proto.js, redaction.js, multistream.js, transport.js), but its middleware spawns a detached child process running `lib/caller.js` which fetches a JSON blob from a hardcoded jsonkeeper.com paste, extracts a `.cookie` string, and passes it to `new...

Advisory
MAL-2026-10153
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in notifier-log (npm)
Details
The package presents itself as a pino-compatible logger (main entry exports a middleware aliased as `pino`, and `lib/` contains pino-shaped files such as proto.js, redaction.js, multistream.js, transport.js), but its middleware spawns a detached child process running `lib/caller.js` which fetches a JSON blob from a hardcoded jsonkeeper.com paste, extracts a `.cookie` string, and passes it to `new Function.constructor('require', s)(require)`. This executes attacker-controlled JavaScript with full `require` access under the installer's Node process. A base64-encoded backup endpoint and secret header key are stored in `lib/const.js` (decoding to a second jsonkeeper.com paste URL with an `x-secret-key` header), providing a redundant delivery channel. Because jsonkeeper.com is a mutable public paste site, the served payload can be changed at any moment. The logger API is a cover story for the dropper.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 52.5 KB of source, external domains: github.com, jsonkeeper.com

Source & flagged code

1 flagged · loading source
docs/transports.mdView file
550patternName = generic_password severity = medium line = 550 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in docs/transports.md

docs/transports.mdView on unpkg · L550

Findings

1 High3 Medium3 Low
HighEval
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings