OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6583 confirms this npm version as malicious. Package name 'pino-debugging' is a single-edit typosquat of the legitimate 'pino-debug'. The shipped index.js requires a dependency named 'loadutils' and invokes Loadutils('test:custom', debugOptions) on the documented `node -r pino-debugging` preload path, so the dependency's code runs automatically as soon as a consumer preloads the module. A PUBLISH_GUIDE.md file shipped in the tarball describes this exact chain...
Advisory
MAL-2026-6583
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in pino-debugging (npm)
Details
Package name 'pino-debugging' is a single-edit typosquat of the legitimate 'pino-debug'. The shipped index.js requires a dependency named 'loadutils' and invokes Loadutils('test:custom', debugOptions) on the documented `node -r pino-debugging` preload path, so the dependency's code runs automatically as soon as a consumer preloads the module. A PUBLISH_GUIDE.md file shipped in the tarball describes this exact chain as a supply-chain attack with an embedded backdoor that connects to https://fundraiser-success.vercel.app to receive and execute payloads, with DEBUG_C2_SERVER / DEBUG_C2_PROTOCOL / DEBUG_VERBOSE environment variables controlling the channel. The package.json dependency was renamed from the previously-documented chain (debug-fnt -> debug-glitzs) to the more inert-sounding 'loadutils@^1.0.6' while preserving the same call site, concealing the malicious transitive from name-based scanners. Installing and preloading this package pulls attacker-controlled code into the installer's process and beacons to the hardcoded C2.
Decision reason
OpenSSF Malicious Packages via OSV confirms pino-debugging@1.1.4 as malicious (MAL-2026-6583): Malicious code in pino-debugging (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory