registry  /  type-async  /  3.3.7

type-async@3.3.7

This document describes the management of vulnerabilities for the project and all modules within the organization.

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10164 confirms this npm version as malicious. The package presents itself as pino (typosquat; README mirrors pino). The main entry `index.js` exports a middleware factory that, on invocation, spawns `lib/caller.js` as a detached Node child process. `lib/caller.js` performs an HTTPS GET against a remote JSON pastebin (https://json.extendsclass.com/bin/250fca079abb), extracts the `.cookie` field of the response, and passes it to `new...

Advisory
MAL-2026-10164
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in type-async (npm)
Details
The package presents itself as pino (typosquat; README mirrors pino). The main entry `index.js` exports a middleware factory that, on invocation, spawns `lib/caller.js` as a detached Node child process. `lib/caller.js` performs an HTTPS GET against a remote JSON pastebin (https://json.extendsclass.com/bin/250fca079abb), extracts the `.cookie` field of the response, and passes it to `new Function.constructor("require", s)`, then invokes the resulting function with the host's `require` binding — giving whoever controls the pastebin arbitrary code execution on the machine that loaded the package, with full Node module access. Alternate payload URLs on jsonkeeper.com (https://jsonkeeper.com/b/XRGF3, https://jsonkeeper.com/b/4NAKK) are stored base64-encoded inside fake `process.env` objects in `lib/caller.js` and `lib/const.js` under a `DEV_API_KEY` key, obscuring the destination hosts from casual inspection. The fetched content is unpinned and mutable, the destinations are anonymous paste services unrelated to the package's advertised logging purpose, and the payload is executed with no integrity verification.
Decision reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 52.4 KB of source, external domains: github.com, json.extendsclass.com

Source & flagged code

2 flagged · loading source
index.jsView file
matchType = malicious_source_fingerprint_signature signature = 2ad508fc9ea2882e signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = type-atob@3.3.7 matchedPath = index.js matchedIdentity = npm:dHlwZS1hdG9i:3.3.7 similarity = 1.000 shingleOverlap = 12 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg
docs/transports.mdView file
550patternName = generic_password severity = medium line = 550 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in docs/transports.md

docs/transports.mdView on unpkg · L550

Findings

2 High3 Medium3 Low
HighEval
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings