notify-dist @1.3.7
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 6:33 PM UTC
OSV ID
MAL-2026-10154
Ecosystem
npm
Summary
notify-dist advertises itself as a pino-compatible logger/middleware (exports module.exports.pino , keywords fast/logger/stream/json, lib/ mirrors pino internals such as proto.js, multistream.js, redaction.js, transport.js), but the exported middleware's only side effect is to launch a remote-code loader. When a consumer requires the package and invokes the exported middleware, index.js spawns node lib/caller.js as a detached child with stdio: 'ignore' and child.unref() so the loader survives after the parent exits. lib/caller.js issues an HTTP GET to https://jsonkeeper.com/b/BPB86 via axios, reads the .cookie field of the response, and executes it as JavaScript via new Function.constructor('require', s)(require) , giving the fetched code full Node privileges including require . The loader retries up to 5 times and silences console.log to hide activity. lib/const.js additionally holds base64-encoded fields that decode to a second endpoint (https://jsonkeeper.com/b/ZK45J) and header name x-secret-key , serving as a rotation/backup payload URL. jsonkeeper.com is a mutable third-party JSON paste host, so the executed code is fully attacker-controlled and can change at any time. The pino-shaped API surface is a lure: consumers importing this expecting logger behavior get arbitrary remote code execution on their machine.
Source: amazon-inspector (1cf89f8fbe4c3f9ae9494077688977f46c8b3f875a552054508ac5eec7b62344)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.