registry  /  type-elint  /  3.3.7

type-elint@3.3.7

This document describes the management of vulnerabilities for the project and all modules within the organization.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Runtime invocation of the exported middleware launches a detached background loader. That loader downloads and executes attacker-controlled JavaScript with Node's `require` capability.

Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
Application code invokes the package's exported middleware.
Impact
Remote operator can execute arbitrary Node code in the host application's context.
Mechanism
Detached remote payload download and arbitrary code execution.
Attack narrative
When a consumer invokes the exported middleware, `index.js` spawns a detached Node process running `lib/caller.js`. The child requests a remote endpoint, takes the response's `cookie` field as JavaScript, dynamically compiles it, and invokes it with `require`. This is a concrete remote-code-execution loader; the remotely supplied payload can select file, credential, persistence, or network behavior at execution time.
Rationale
The package contains an active, runtime-triggered remote payload loader with dynamic execution and unrestricted module access. Absence of an install hook does not mitigate this concrete RCE behavior.
Evidence
package.jsonindex.jslib/caller.js
Network endpoints1
json.extendsclass.com/bin/863e90480800

OSV Corroboration

OpenSSF/OSV
Advisory
MAL-2026-10137
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in type-elint (npm)
Details
Package impersonates the pino logger (README is pino documentation, package name is a lookalike). The main export is a middleware factory that spawns lib/caller.js as a detached Node child process. caller.js retrieves JavaScript from hardcoded remote endpoints at https://json.extendsclass.com/bin/863e90480800 and https://jsonkeeper.com/b/XRGF3, then evaluates the response body using the Function constructor with require passed in scope, yielding arbitrary code execution in the consumer's environment under the endpoint owner's control. The destination URLs are base64-encoded and stored under a decoy DEV_API_KEY property (e.g., aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1hSR0Yz decodes to the jsonkeeper.com URL) to hide the C2/dead-drop from casual review. Mutable third-party paste services as the code source mean the delivered payload can change at any time without any package update.

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js` starts a detached Node child when exported middleware is invoked.
  • `lib/caller.js` fetches code from `https://json.extendsclass.com/bin/863e90480800`.
  • `lib/caller.js` extracts `data.cookie` from the response and compiles it with `new Function.constructor`.
  • The downloaded code receives `require`, granting arbitrary local module access.
  • The remote fetch uses a nonstandard `x-secret-key` header and retries silently.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • The visible loader does not directly read local files or environment variables before remote execution.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 52.4 KB of source, external domains: github.com, json.extendsclass.com

Source & flagged code

2 flagged · loading source
index.jsView file
matchType = malicious_source_fingerprint_signature signature = 2ad508fc9ea2882e signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = type-slint@3.3.7 matchedPath = index.js matchedIdentity = npm:dHlwZS1zbGludA:3.3.7 similarity = 1.000 shingleOverlap = 12 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg
docs/transports.mdView file
550patternName = generic_password severity = medium line = 550 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in docs/transports.md

docs/transports.mdView on unpkg · L550

Findings

2 High3 Medium3 Low
HighEval
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings