registry  /  loading-sessions  /  6.13.2

loading-sessions@6.13.2

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10471 confirms this npm version as malicious. Package name impersonates the pino logger (exports module.exports.pino, ships pino-style files lib/proto.js, lib/levels.js, lib/redaction.js, lib/multistream.js, lib/transport.js, copies pino keywords ['fast','logger','stream','json']). When the exported middleware is invoked, index.js spawns a detached `node lib/caller.js` child. lib/caller.js base64-decodes a hardcoded URL...

Advisory
MAL-2026-10471
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in loading-sessions (npm)
Details
Package name impersonates the pino logger (exports module.exports.pino, ships pino-style files lib/proto.js, lib/levels.js, lib/redaction.js, lib/multistream.js, lib/transport.js, copies pino keywords ['fast','logger','stream','json']). When the exported middleware is invoked, index.js spawns a detached `node lib/caller.js` child. lib/caller.js base64-decodes a hardcoded URL (https://api.jsonstorage.net/v1/json/2ef8c758-a96f-459e-b036-b3b90379a165/a179ea35-b962-4722-b3f1-e28316d1a44a) disguised as a `DEV_API_KEY` env-var fake, GETs the JSON document, and passes the response's `data.cookie` string to `new Function.constructor('require', s)` and invokes it with `require`. The fetched content is attacker-controlled and mutable, runs with full Node `require` access, retries up to 5 times, and is detached so failures are silent. Headers (`x-secret-key`) are also base64-decoded from masquerading env-var names. This is a classic remote-code dropper hidden behind a typosquat lure.
Decision reason
OpenSSF Malicious Packages via OSV confirms loading-sessions@6.13.2 as malicious (MAL-2026-10471): Malicious code in loading-sessions (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory