jsf-utils @1.3.1
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC
OSV ID
MAL-2026-6921
Ecosystem
npm
Summary
On require('jsf-utils'), lib/string/pathcase.js runs a top-level async IIFE that fetches a JavaScript payload from https://jsonkeeper.com/b/BPB86 and executes it in-process via Function.constructor with access to the installer's require. The file is auto-loaded because lib/index.js and lib/string/index.js recursively require every module in the tree. The exported pathcase function additionally spawns a detached, stdio-ignored node child process using the fetched script as argv, extending execution beyond the import-time IIFE and surviving parent exit. The remote-fetch-and-eval logic is placed inside a file whose stated purpose is a trivial string helper (pathcase), with the original benign implementation left commented out below the payload — concealment inside an innocuous utility. The package impersonates jonschlinkert/utils by reusing that project's author, homepage, and repository metadata while shipping under the name jsf-utils. Because the payload host is a mutable anonymous paste service, the executed code can be changed by the attacker at any time without republishing the package.
Source: amazon-inspector (f6a2a0bbd4939a789673bdca08866c9be58dd361df175695e7f8c1141bed4e47)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.