registry  /  configration  /  2.3.5

configration@2.3.5

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-7009 confirms this npm version as malicious. The package impersonates the `pino` logger (README badges, `module.exports.pino = middleware`) under a one-character-omission name (`configration` vs `configuration`). When a consumer requires the package and invokes the exported middleware factory, `index.js` detaches a child process running `lib/initializeCaller.js`...

Advisory
MAL-2026-7009
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in configration (npm)
Details
The package impersonates the `pino` logger (README badges, `module.exports.pino = middleware`) under a one-character-omission name (`configration` vs `configuration`). When a consumer requires the package and invokes the exported middleware factory, `index.js` detaches a child process running `lib/initializeCaller.js`. That child decodes a base64-obfuscated URL stored under decoy field names (`DEV_API_KEY`, `DEV_SECRET_KEY`) inside a locally shadowed `process` object, resolving to `https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df`. It POSTs the entire spread `process.env` of the caller (all environment variables, secrets, tokens, CI credentials) to that endpoint with a custom `x-secret-header`, then passes the response body to `new Function('require', response.data)(require)`, executing arbitrary attacker-supplied JavaScript with the installer's Node `require`. This is a combined credential exfiltration + remote-code-execution channel gated only by requiring/loading the module.
Decision reason
OpenSSF Malicious Packages via OSV confirms configration@2.3.5 as malicious (MAL-2026-7009): Malicious code in configration (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory