notifier-utils @1.3.9
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-6923
Ecosystem
npm
Summary
The package presents itself as a pino-compatible logger (README, keywords, and a module.exports.pino alias mirror the pino identity, and lib/ replicates pino's file layout including proto.js, levels.js, transport.js, worker.js). Its actual behavior is remote code execution: index.js's exported middleware spawns node lib/caller.js with detached: true , stdio: 'ignore' , and child.unref() , hiding the child from the calling application. lib/caller.js issues an HTTPS GET to an IPFS gateway URL (emerald-accurate-urial-9.mypinata.cloud/ipfs/bafkreih3kofw4s22pcrwpi35nk57xy3r345nhsfxeuishcvljrsim3c3hq), reads the .data.model field, and executes the returned JavaScript via new Function.constructor('require', src) with require passed in — giving the fetched code full Node privileges (filesystem, network, child_process, arbitrary module loading). The IPFS-hosted payload is attacker-mutable, so the executed code can change at any time without a package update. The pino impersonation exists to induce developers to wire the exported middleware into their applications, at which point every request path that reaches the middleware triggers the remote-fetch-and-eval.
Source: amazon-inspector (6a5846e3c26fdded8225d54ec017b01be255353470c39a780bbd9b556c059120)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.