registry  /  type-astr  /  3.2.3

type-astr@3.2.3

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10510 confirms this npm version as malicious. The package presents itself as a pino-compatible logger (exports a middleware aliased as `pino`, ships pino-like files such as proto.js, redaction.js, multistream.js, transport.js) but its actual runtime effect is to launch a remote code loader. Requiring the package invokes a middleware factory that spawns a detached Node child process running lib/caller.js...

Advisory
MAL-2026-10510
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in type-astr (npm)
Details
The package presents itself as a pino-compatible logger (exports a middleware aliased as `pino`, ships pino-like files such as proto.js, redaction.js, multistream.js, transport.js) but its actual runtime effect is to launch a remote code loader. Requiring the package invokes a middleware factory that spawns a detached Node child process running lib/caller.js. That script decodes a base64-encoded URL constant (DEV_API_KEY = "aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1hSR0Yz" → https://jsonkeeper.com/b/XRGF3; additional endpoints include https://jsonkeeper.com/b/4NAKK and https://jsonhosting.com/api/json/f1a66ab0/raw), fetches the JSON document via axios, extracts a `cookie` field, and passes its contents to `new Function.constructor("require", s)(require)`, executing attacker-controlled JavaScript in the installer's Node process with full `require` access. The remote endpoints are anonymous paste-style hosts whose content can be changed by whoever controls the paste at any time.
Decision reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 52.7 KB of source, external domains: github.com, jsonhosting.com

Source & flagged code

1 flagged · loading source
docs/transports.mdView file
550patternName = generic_password severity = medium line = 550 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in docs/transports.md

docs/transports.mdView on unpkg · L550

Findings

3 Medium3 Low
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings