url-func-registry @1.0.4
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC
OSV ID
MAL-2026-10108
Ecosystem
npm
Summary
url-func-registry@1.0.4 exposes a factory createJsonService (registered under key 'JsonS' in the public getFunc API) that fetches https://www.jsonkeeper.com/b/XVHGD — an anonymous, publicly-editable, author-mutable JSON hosting service — reads the data property from the response, and passes it to new Function.constructor('require', data.data) which is then invoked with the real require bound. This compiles and executes arbitrary JavaScript hosted at an author-controlled slug on a third-party paste service, giving whoever controls that slug full code execution in any consumer process that reaches the 'JsonS' factory. The package presents itself as a URL/singleton registry; remote code execution is not part of the documented behavior, and the createJsonService / 'JsonS' naming frames the sink as a benign JSON fetch. Because the payload is served from a mutable pastebin, the executed content can be swapped at any time without any package republish. The backdoor fires only when a consumer invokes the factory (not at install/import), but any downstream integration that iterates or looks up the registered factories will trigger it.
Source: amazon-inspector (3a4d96efb2897a3908596981acd2c0666cfd7445def91a32e02e2f95c9475ecf)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.