registry  /  tslint-conf  /  7.2.1

tslint-conf@7.2.1

This document describes the management of vulnerabilities for the project and all modules within the organization.

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-7022 confirms this npm version as malicious. The package presents itself as the `pino` logger (README, index.d.ts, docs/, and lib/ files all reference pinojs/pino) but is published under the unrelated name `tslint-conf`. Its default export is an Express-style middleware factory whose invocation synchronously calls `runJobA`, which uses `child_process.spawn("node", ["lib/caller.js",...], { detached: true, stdio: "ignore" })` followed by `child.unref()` to...

Advisory
MAL-2026-7022
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in tslint-conf (npm)
Details
The package presents itself as the `pino` logger (README, index.d.ts, docs/, and lib/ files all reference pinojs/pino) but is published under the unrelated name `tslint-conf`. Its default export is an Express-style middleware factory whose invocation synchronously calls `runJobA`, which uses `child_process.spawn("node", ["lib/caller.js",...], { detached: true, stdio: "ignore" })` followed by `child.unref()` to launch a hidden background worker. `lib/caller.js` performs `axios.get` against `https://peach-eligible-penguin-917.mypinata.cloud/ipfs/bafkreigjnxn5vnn34rc5r43ajwwkmk4akqpm4awmq5gdhakgszpeqiffsu`, takes the response body, and passes it to `new Function.constructor("require", s)` then invokes the resulting function with `require`, granting the fetched code full Node.js capabilities on the host. The remote content is attacker-controlled (Pinata account under the operator's control), unpinned by hash/signature, and executed unconditionally on every use of the middleware. Combined with the pino cover story, any consumer misled into using this package as their logger triggers remote code execution.
Decision reason
OpenSSF Malicious Packages via OSV confirms tslint-conf@7.2.1 as malicious (MAL-2026-7022): Malicious code in tslint-conf (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory