notifier-log @1.3.5
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 6:33 PM UTC
OSV ID
MAL-2026-10153
Ecosystem
npm
Summary
The package presents itself as a pino-compatible logger (main entry exports a middleware aliased as pino , and lib/ contains pino-shaped files such as proto.js, redaction.js, multistream.js, transport.js), but its middleware spawns a detached child process running lib/caller.js which fetches a JSON blob from a hardcoded jsonkeeper.com paste, extracts a .cookie string, and passes it to new Function.constructor('require', s)(require) . This executes attacker-controlled JavaScript with full require access under the installer's Node process. A base64-encoded backup endpoint and secret header key are stored in lib/const.js (decoding to a second jsonkeeper.com paste URL with an x-secret-key header), providing a redundant delivery channel. Because jsonkeeper.com is a mutable public paste site, the served payload can be changed at any moment. The logger API is a cover story for the dropper.
Source: amazon-inspector (f4c2346bef8105dc24079ee47eb8cd65dbb92f7dbbd6d17ac0c576646878298c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.