registry  /  url-func-registry  /  1.0.4

url-func-registry@1.0.4

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10108 confirms this npm version as malicious. url-func-registry@1.0.4 exposes a factory `createJsonService` (registered under key 'JsonS' in the public `getFunc` API) that fetches https://www.jsonkeeper.com/b/XVHGD — an anonymous, publicly-editable, author-mutable JSON hosting service — reads the `data` property from the response, and passes it to `new Function.constructor('require', data.data)` which is then invoked with the real `require` bound...

Advisory
MAL-2026-10108
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in url-func-registry (npm)
Details
url-func-registry@1.0.4 exposes a factory `createJsonService` (registered under key 'JsonS' in the public `getFunc` API) that fetches https://www.jsonkeeper.com/b/XVHGD — an anonymous, publicly-editable, author-mutable JSON hosting service — reads the `data` property from the response, and passes it to `new Function.constructor('require', data.data)` which is then invoked with the real `require` bound. This compiles and executes arbitrary JavaScript hosted at an author-controlled slug on a third-party paste service, giving whoever controls that slug full code execution in any consumer process that reaches the 'JsonS' factory. The package presents itself as a URL/singleton registry; remote code execution is not part of the documented behavior, and the `createJsonService` / 'JsonS' naming frames the sink as a benign JSON fetch. Because the payload is served from a mutable pastebin, the executed content can be swapped at any time without any package republish. The backdoor fires only when a consumer invokes the factory (not at install/import), but any downstream integration that iterates or looks up the registered factories will trigger it.
Decision reason
OpenSSF Malicious Packages via OSV confirms url-func-registry@1.0.4 as malicious (MAL-2026-10108): Malicious code in url-func-registry (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory