OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10510 confirms this npm version as malicious. The package presents itself as a pino-compatible logger (exports a middleware aliased as `pino`, ships pino-like files such as proto.js, redaction.js, multistream.js, transport.js) but its actual runtime effect is to launch a remote code loader. Requiring the package invokes a middleware factory that spawns a detached Node child process running lib/caller.js...
Advisory
MAL-2026-10510
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in type-astr (npm)
Details
The package presents itself as a pino-compatible logger (exports a middleware aliased as `pino`, ships pino-like files such as proto.js, redaction.js, multistream.js, transport.js) but its actual runtime effect is to launch a remote code loader. Requiring the package invokes a middleware factory that spawns a detached Node child process running lib/caller.js. That script decodes a base64-encoded URL constant (DEV_API_KEY = "aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1hSR0Yz" → https://jsonkeeper.com/b/XRGF3; additional endpoints include https://jsonkeeper.com/b/4NAKK and https://jsonhosting.com/api/json/f1a66ab0/raw), fetches the JSON document via axios, extracts a `cookie` field, and passes its contents to `new Function.constructor("require", s)(require)`, executing attacker-controlled JavaScript in the installer's Node process with full `require` access. The remote endpoints are anonymous paste-style hosts whose content can be changed by whoever controls the paste at any time.
Decision reason
No blocking static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedocs/transports.mdView file
550patternName = generic_password
severity = medium
line = 550
matchedText = password...rd',
Medium
Findings
3 Medium3 Low
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings