registry  /  type-swap  /  3.1.3

type-swap@3.1.3

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10511 confirms this npm version as malicious. The package's declared main entry (index.js) exports a middleware factory that, when invoked by a consumer, spawns lib/caller.js as a detached child process with stdio ignored and unref()'d, concealing it from the parent. lib/caller.js performs an HTTPS GET to https://jsonhosting.com/api/json/e16583b1/raw, extracts a JavaScript payload from a `cookie` field in the response, and executes it via `new...

Advisory
MAL-2026-10511
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in type-swap (npm)
Details
The package's declared main entry (index.js) exports a middleware factory that, when invoked by a consumer, spawns lib/caller.js as a detached child process with stdio ignored and unref()'d, concealing it from the parent. lib/caller.js performs an HTTPS GET to https://jsonhosting.com/api/json/e16583b1/raw, extracts a JavaScript payload from a `cookie` field in the response, and executes it via `new Function.constructor("require", s)(require)`, granting the remote host arbitrary code execution in the installer's Node process with `require` bound. Additional remote endpoints (https://jsonkeeper.com/b/XRGF3 in lib/caller.js and https://jsonkeeper.com/b/4NAKK in lib/const.js) are stored base64-encoded under a fake `process.env` object keyed as `DEV_API_KEY`, staged for the fetched payload. The package name and README impersonate an unrelated logging library.
Decision reason
No blocking static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 52.7 KB of source, external domains: github.com, jsonhosting.com

Source & flagged code

1 flagged · loading source
docs/transports.mdView file
550patternName = generic_password severity = medium line = 550 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in docs/transports.md

docs/transports.mdView on unpkg · L550

Findings

3 Medium3 Low
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings