npm

@jaymara/jsononifier @1.0.2

Vulnerability report · Last retrieved from osv.dev July 11, 2026 at 5:36 AM UTC

Malicious

OSV ID

MAL-2026-10177

Ecosystem

npm

Summary

@jaymara/jsononifier@1.0.2 is advertised as a JSON formatting utility but ships a covert command-execution primitive that fires on require. index.js loads trigger.js, which checks for sandbox indicators (process.env.CI==='true', NODE_ENV==='test', existence of /.dockerenv) and the platform (win32); when those checks indicate a real Windows workstation, it schedules Executer.js via process.nextTick + setTimeout(5000). Executer.js XOR-decodes a byte array from payload.js using key 'xorkey123' and passes the resulting string to child_process.exec with { windowsHide: true }. payload.js openly comments the intent ('XOR-encoded command – not visible in source'). The current decoded value is a demo (calc.exe), but the mechanism — opaque encoded bytes decoded at runtime and handed to exec, gated to skip CI/test/Docker and only fire on real victim machines — is the attack: a future tarball can swap the byte array for any command without changing the visible code. None of this is required by, or consistent with, a JSON formatter.

Source: amazon-inspector (ade6fb9a07c6f1417e9569af48b6c638bf12fba7540493b1b38a2d6ba42d101c)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.