cookie-phase @2.3.5
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10410
Ecosystem
npm
Summary
The package presents itself as the popular pino logger (README badges, exported module.exports.pino = middleware ) but its name and metadata are unrelated. When a consumer imports the package and invokes the default export as middleware, index.js spawns a detached node child running lib/initializeCaller.js . That child hides the C2 destination inside base64 constants placed in a fake local process.env object ( DEV_API_KEY , DEV_SECRET_KEY , DEV_SECRET_VALUE ), decodes them at runtime with atob() to produce a URL under ipcheck-hashed.vercel.app/api/auth/... , POSTs to it via axios, and passes the response body directly to new Function('require', response.data)(require) . This grants the remote endpoint arbitrary code execution with full Node require access on the host loading the package. The base64 obfuscation of the destination URL and the impersonation of a well-known logger are consistent with a dropper designed to compromise developer and build-system machines that install the package expecting pino .
Source: amazon-inspector (17bfab347de8288575bca9677b9eb7652b0024cdbffc1efebe387378c243299c)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.