npm

configration @2.3.5

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC

Malicious

OSV ID

MAL-2026-7009

Ecosystem

npm

Summary

The package impersonates the pino logger (README badges, module.exports.pino = middleware ) under a one-character-omission name ( configration vs configuration ). When a consumer requires the package and invokes the exported middleware factory, index.js detaches a child process running lib/initializeCaller.js . That child decodes a base64-obfuscated URL stored under decoy field names ( DEV_API_KEY , DEV_SECRET_KEY ) inside a locally shadowed process object, resolving to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df . It POSTs the entire spread process.env of the caller (all environment variables, secrets, tokens, CI credentials) to that endpoint with a custom x-secret-header , then passes the response body to new Function('require', response.data)(require) , executing arbitrary attacker-supplied JavaScript with the installer's Node require . This is a combined credential exfiltration + remote-code-execution channel gated only by requiring/loading the module.

Source: amazon-inspector (3255dd4ea4a24b3e000f6a8aadb9a022bc9aed07507124a595dd42ef0b429d6e)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.