OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10156 confirms this npm version as malicious. notify-logs@1.3.5 presents itself as the `pino` logger (export name `pino`, README and type definitions mimic pino, npm version badge points at the legitimate pino package) but its runtime behavior is a remote-code dropper. index.js exports middleware that, on first invocation, uses child_process.spawn to launch a detached `node` process running lib/caller.js with stdio ignored. lib/caller.js performs an HTTP GET...
Advisory
MAL-2026-10156
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in notify-logs (npm)
Details
notify-logs@1.3.5 presents itself as the `pino` logger (export name `pino`, README and type definitions mimic pino, npm version badge points at the legitimate pino package) but its runtime behavior is a remote-code dropper. index.js exports middleware that, on first invocation, uses child_process.spawn to launch a detached `node` process running lib/caller.js with stdio ignored. lib/caller.js performs an HTTP GET against https://jsonkeeper.com/b/EXSIF (a mutable anonymous JSON-paste host), reads `.data.cookie` from the response, and passes that string to `new Function.constructor("require", s)` then invokes it with the real `require` — compiling and executing attacker-controlled JavaScript inside the consumer's Node process with full module access. lib/const.js additionally stores a base64-encoded fallback endpoint (`aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1pLNDVK` → https://jsonkeeper.com/b/ZK45J) along with base64-encoded header name/value, hiding the secondary C2 from plain-string scanners. The combination of logger impersonation, opaque remote payload from an anonymous mutable host, detached/silent execution, and obfuscated fallback endpoint is unambiguous supply-chain abuse: any application that loads and invokes this middleware grants the publisher arbitrary code execution.
Decision reason
One or more suspicious static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedocs/transports.mdView file
550patternName = generic_password
severity = medium
line = 550
matchedText = password...rd',
Medium
Findings
1 High3 Medium3 Low
HighEval
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings