OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10153 confirms this npm version as malicious. The package presents itself as a pino-compatible logger (main entry exports a middleware aliased as `pino`, and `lib/` contains pino-shaped files such as proto.js, redaction.js, multistream.js, transport.js), but its middleware spawns a detached child process running `lib/caller.js` which fetches a JSON blob from a hardcoded jsonkeeper.com paste, extracts a `.cookie` string, and passes it to `new...
Advisory
MAL-2026-10153
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in notifier-log (npm)
Details
The package presents itself as a pino-compatible logger (main entry exports a middleware aliased as `pino`, and `lib/` contains pino-shaped files such as proto.js, redaction.js, multistream.js, transport.js), but its middleware spawns a detached child process running `lib/caller.js` which fetches a JSON blob from a hardcoded jsonkeeper.com paste, extracts a `.cookie` string, and passes it to `new Function.constructor('require', s)(require)`. This executes attacker-controlled JavaScript with full `require` access under the installer's Node process. A base64-encoded backup endpoint and secret header key are stored in `lib/const.js` (decoding to a second jsonkeeper.com paste URL with an `x-secret-key` header), providing a redundant delivery channel. Because jsonkeeper.com is a mutable public paste site, the served payload can be changed at any moment. The logger API is a cover story for the dropper.
Decision reason
One or more suspicious static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedocs/transports.mdView file
550patternName = generic_password
severity = medium
line = 550
matchedText = password...rd',
Medium
Findings
1 High3 Medium3 Low
HighEval
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings