OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10511 confirms this npm version as malicious. The package's declared main entry (index.js) exports a middleware factory that, when invoked by a consumer, spawns lib/caller.js as a detached child process with stdio ignored and unref()'d, concealing it from the parent. lib/caller.js performs an HTTPS GET to https://jsonhosting.com/api/json/e16583b1/raw, extracts a JavaScript payload from a `cookie` field in the response, and executes it via `new...
Advisory
MAL-2026-10511
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in type-swap (npm)
Details
The package's declared main entry (index.js) exports a middleware factory that, when invoked by a consumer, spawns lib/caller.js as a detached child process with stdio ignored and unref()'d, concealing it from the parent. lib/caller.js performs an HTTPS GET to https://jsonhosting.com/api/json/e16583b1/raw, extracts a JavaScript payload from a `cookie` field in the response, and executes it via `new Function.constructor("require", s)(require)`, granting the remote host arbitrary code execution in the installer's Node process with `require` bound. Additional remote endpoints (https://jsonkeeper.com/b/XRGF3 in lib/caller.js and https://jsonkeeper.com/b/4NAKK in lib/const.js) are stored base64-encoded under a fake `process.env` object keyed as `DEV_API_KEY`, staged for the fetched payload. The package name and README impersonate an unrelated logging library.
Decision reason
No blocking static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedocs/transports.mdView file
550patternName = generic_password
severity = medium
line = 550
matchedText = password...rd',
Medium
Findings
3 Medium3 Low
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings