notifier-utils @1.3.8
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 1:25 AM UTC
OSV ID
MAL-2026-6923
Ecosystem
npm
Summary
The package's main entry (index.js) exposes a middleware factory aliased as pino /default that, on first invocation, spawns a detached, unref'd node lib/caller.js child process. lib/caller.js issues an HTTP GET against https://jsonkeeper.com/b/HIOEN (an anonymous, author-mutable JSON-paste host) and passes the response body to new Function.constructor("require", src)(require) , executing arbitrary attacker-controlled JavaScript in the installer's Node process with access to require . Up to 5 retries are attempted. A second jsonkeeper URL (https://jsonkeeper.com/b/ZK45J) and an associated x-secret-key: _ header are stored base64-encoded in lib/const.js as a fallback fetch target. The package name, keyword set, and lib/ layout (proto.js, redaction.js, multistream.js, transport.js, worker.js, meta.js reporting version '9.6.0') impersonate the legitimate pino logger to induce consumers to require it. Because the dropper fires from the main-module require path, any consumer that imports notifier-utils triggers arbitrary remote code execution controllable by the paste owner at any time.
Source: amazon-inspector (ba547b66886d76bff74f9c797b08f614eb5eb799359a28d0cdeb35dd1a0458ff)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.