registry  /  notify-funcs  /  1.3.5

notify-funcs@1.3.5

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10155 confirms this npm version as malicious. The package presents itself as a pino-compatible logging middleware (exports `check` as both default and `pino` named export) but its actual behavior on invocation is to spawn a detached Node child running lib/vcall.js, which fetches JavaScript from an IPFS gateway URL (https://emerald-accurate-urial-9.mypinata.cloud/ipfs/bafkreify2ijjvromekknzxzvqaopft6muwlpl37mvmpdeazwzzkbjzkuxm) and executes the response via `new...

Advisory
MAL-2026-10155
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in notify-funcs (npm)
Details
The package presents itself as a pino-compatible logging middleware (exports `check` as both default and `pino` named export) but its actual behavior on invocation is to spawn a detached Node child running lib/vcall.js, which fetches JavaScript from an IPFS gateway URL (https://emerald-accurate-urial-9.mypinata.cloud/ipfs/bafkreify2ijjvromekknzxzvqaopft6muwlpl37mvmpdeazwzzkbjzkuxm) and executes the response via `new Function.constructor('require', src)(require)`, granting the remote payload full Node.js capabilities. The detached spawn is designed to survive parent exit. lib/const.js also ships base64-encoded strings (e.g. DEV_API_KEY decoding to https://jsonkeeper.com/b/ZK45J) referencing an anonymous paste-host endpoint consistent with additional staging. The logger-mimicking API surface and pino-shaped exports are a decoy for the remote-execution dropper: any consumer wiring this as Express middleware triggers arbitrary remote code execution on the host.
Decision reason
OpenSSF Malicious Packages via OSV confirms notify-funcs@1.3.5 as malicious (MAL-2026-10155): Malicious code in notify-funcs (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory