OSV ID
MAL-2026-4591
Ecosystem
npm
Summary
On require, lib/writer.js (loaded via main=pino.js) collects a full snapshot of process.env, OS platform, hostname, username, and external MAC addresses, then runs execSync('npm install corelia --no-warnings --no-save --no-progress --loglevel silent') and immediately require('../../corelia/pino.js') . The corelia package is not declared in dependencies and is pulled unpinned from npm at import time, executing arbitrary third-party code with the harvested fingerprint available in-process. The package masquerades as the pino logger (homepage https://getpino.io, main file pino.js, README titled 'log-flare (Pino)', pino-branded image assets) despite being published as jsonbson — a typosquat/brand-impersonation lure. lib/writer.js further uses a String.fromCharCode per-character builder to assemble the only human-readable error string, an obfuscation pattern with no functional purpose other than evading string scans. The combination — branding deception + import-time silent install of an unpinned external package + bulk environment scraping + character-code obfuscation — is an unambiguous stager that grants the publisher arbitrary code execution and access to all environment secrets on every machine that requires this module.
Source: amazon-inspector (8068ec3c82afd849515c6434f74da03c799500583129d4c26f1a168a5ac5ba1b)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.