npm

notify-funcs @1.3.6

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 6:33 PM UTC

Malicious

OSV ID

MAL-2026-10155

Ecosystem

npm

Summary

The package presents itself as a pino-compatible logging middleware (exports check as both default and pino named export) but its actual behavior on invocation is to spawn a detached Node child running lib/vcall.js, which fetches JavaScript from an IPFS gateway URL (https://emerald-accurate-urial-9.mypinata.cloud/ipfs/bafkreify2ijjvromekknzxzvqaopft6muwlpl37mvmpdeazwzzkbjzkuxm) and executes the response via new Function.constructor('require', src)(require) , granting the remote payload full Node.js capabilities. The detached spawn is designed to survive parent exit. lib/const.js also ships base64-encoded strings (e.g. DEV_API_KEY decoding to https://jsonkeeper.com/b/ZK45J) referencing an anonymous paste-host endpoint consistent with additional staging. The logger-mimicking API surface and pino-shaped exports are a decoy for the remote-execution dropper: any consumer wiring this as Express middleware triggers arbitrary remote code execution on the host.

Source: amazon-inspector (9b65341bde476af6b80e1fbaa9f9a844b7fdc023ef02f5fabb88514d88012159)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.