registry  /  type-plint  /  3.3.7

type-plint@3.3.7

This document describes the management of vulnerabilities for the project and all modules within the organization.

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10130 confirms this npm version as malicious. The package advertises itself as a pino-style logger but its exported middleware spawns lib/caller.js as a detached Node child process. lib/caller.js performs an HTTP GET against a third-party mutable JSON-bin host (json.extendsclass.com/bin/26d6d7d075e1, with secondary jsonkeeper.com bins) and passes the returned string to `new Function.constructor("require", s)`, then invokes it with the real `require`, giving the...

Advisory
MAL-2026-10130
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in type-plint (npm)
Details
The package advertises itself as a pino-style logger but its exported middleware spawns lib/caller.js as a detached Node child process. lib/caller.js performs an HTTP GET against a third-party mutable JSON-bin host (json.extendsclass.com/bin/26d6d7d075e1, with secondary jsonkeeper.com bins) and passes the returned string to `new Function.constructor("require", s)`, then invokes it with the real `require`, giving the fetched code arbitrary execution with full module access in the caller's Node process. lib/const.js and lib/caller.js embed base64-encoded jsonkeeper.com bin URLs disguised as environment-variable defaults (e.g. DEV_API_KEY decodes to https://jsonkeeper.com/b/XRGF3), a standard evasion shape for staged remote-code loaders. The pino-like API surface and `module.exports.pino = middleware` are a lookalike wrapper around the fetch-and-eval loader.
Decision reason
OpenSSF Malicious Packages via OSV confirms type-plint@3.3.7 as malicious (MAL-2026-10130): Malicious code in type-plint (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory