loading-sessions @6.13.2
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10471
Ecosystem
npm
Summary
Package name impersonates the pino logger (exports module.exports.pino, ships pino-style files lib/proto.js, lib/levels.js, lib/redaction.js, lib/multistream.js, lib/transport.js, copies pino keywords ['fast','logger','stream','json']). When the exported middleware is invoked, index.js spawns a detached node lib/caller.js child. lib/caller.js base64-decodes a hardcoded URL (https://api.jsonstorage.net/v1/json/2ef8c758-a96f-459e-b036-b3b90379a165/a179ea35-b962-4722-b3f1-e28316d1a44a) disguised as a DEV_API_KEY env-var fake, GETs the JSON document, and passes the response's data.cookie string to new Function.constructor('require', s) and invokes it with require . The fetched content is attacker-controlled and mutable, runs with full Node require access, retries up to 5 times, and is detached so failures are silent. Headers ( x-secret-key ) are also base64-decoded from masquerading env-var names. This is a classic remote-code dropper hidden behind a typosquat lure.
Source: amazon-inspector (ed919f49d3732fb5d4bd8b177022ed58d9c08b2cded5a6141e2da07c66966a94)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.