OSV Malicious Advisory
scanned 8h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10449 confirms this npm version as malicious. The package impersonates the pino logger (README assets, keywords, and internal filenames such as lib/proto.js, lib/multistream.js, lib/redaction.js, lib/transport.js, lib/writer.js are pino-branded) but its declared purpose is unrelated. On require, index.js loads lib/writer.js, which builds an object containing the full process.env, os.platform(), os.hostname(), os.userInfo().username, and non-internal MAC...
Decision evidence
public snapshotSource & flagged code
4 flagged · loading sourceSource contains an obfuscator-style string-array loader that reconstructs and executes hidden code.
lib/content.jsView on unpkg · L1Package source references a known benign dynamic code generation pattern.
lib/content.jsView on unpkg · L3