OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10440 confirms this npm version as malicious. The package presents itself as a pino-style logger (README and keywords reference logging; index.js exports `module.exports.pino = middleware`), but the exported middleware invokes runJobA, which spawns a detached `node lib/caller.js` child with stdio ignored and unref()'d. lib/caller.js fetches a JSON document from an anonymous, mutable pastebin-style host (https://json.extendsclass.com/bin/cddf5a07b53f and...
Advisory
MAL-2026-10440
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in type-context (npm)
Details
The package presents itself as a pino-style logger (README and keywords reference logging; index.js exports `module.exports.pino = middleware`), but the exported middleware invokes runJobA, which spawns a detached `node lib/caller.js` child with stdio ignored and unref()'d. lib/caller.js fetches a JSON document from an anonymous, mutable pastebin-style host (https://json.extendsclass.com/bin/cddf5a07b53f and https://jsonkeeper.com/b/XRGF3, https://jsonkeeper.com/b/4NAKK) and executes the response body's `.cookie` field as JavaScript via `new Function.constructor('require', s)(require)`, giving the remote endpoint arbitrary code execution in the consumer's Node process with access to require(). The exfil/loader URLs are stored base64-encoded in lib/const.js (e.g. `DEV_API_KEY: 'aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1hSR0Yz'` decodes to https://jsonkeeper.com/b/XRGF3) to hide the destinations from casual inspection. The declared purpose (logging middleware) does not match the actual behavior (remote-fetch-and-eval dropper), and the fetched code is served from anonymous author-mutable hosts with no pinning or integrity check.
Decision reason
OpenSSF Malicious Packages via OSV confirms type-context@3.2.8 as malicious (MAL-2026-10440): Malicious code in type-context (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory