notify-logs @1.3.5
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 6:33 PM UTC
OSV ID
MAL-2026-10156
Ecosystem
npm
Summary
notify-logs@1.3.5 presents itself as the pino logger (export name pino , README and type definitions mimic pino, npm version badge points at the legitimate pino package) but its runtime behavior is a remote-code dropper. index.js exports middleware that, on first invocation, uses child_process.spawn to launch a detached node process running lib/caller.js with stdio ignored. lib/caller.js performs an HTTP GET against https://jsonkeeper.com/b/EXSIF (a mutable anonymous JSON-paste host), reads .data.cookie from the response, and passes that string to new Function.constructor("require", s) then invokes it with the real require — compiling and executing attacker-controlled JavaScript inside the consumer's Node process with full module access. lib/const.js additionally stores a base64-encoded fallback endpoint ( aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1pLNDVK → https://jsonkeeper.com/b/ZK45J) along with base64-encoded header name/value, hiding the secondary C2 from plain-string scanners. The combination of logger impersonation, opaque remote payload from an anonymous mutable host, detached/silent execution, and obfuscated fallback endpoint is unambiguous supply-chain abuse: any application that loads and invokes this middleware grants the publisher arbitrary code execution.
Source: amazon-inspector (fec337f1c1858ad605f875ea51feb09f84fbd2eb702c7bc0462dbb427b3eff05)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.