npm

nodepack-daemon @1.2.9

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 6:33 PM UTC

Malicious

OSV ID

MAL-2026-10111

Ecosystem

npm

Summary

The package presents itself as the popular pino logger (README badges, file layout mirroring pino's lib/proto.js, lib/redaction.js, lib/transport.js, DEFAULT_LEVELS, and module.exports.pino = middleware ), but on use it triggers a remote code execution flow. index.js spawns node./lib/caller.js in a detached, stdio-ignored child when the exported middleware is invoked. lib/caller.js issues an HTTPS GET against https://jsonkeeper.com/b/QWPQX, reads the cookie field of the returned JSON, and passes it to Function.constructor('require', s) , invoking the returned function with the real require — giving whatever code the paste currently contains full Node capabilities inside the installer's process. The exfil/C2 URLs are further obfuscated as base64-encoded fake process.env.DEV_API_KEY / DEV_SECRET_KEY / DEV_SECRET_VALUE constants in lib/caller.js and lib/const.js that decode to additional jsonkeeper.com paste endpoints (https://jsonkeeper.com/b/XRGF3, https://jsonkeeper.com/b/4NAKK) and a custom x-secret-key header. jsonkeeper.com is an anonymous, mutable paste host — the executed payload can be swapped by the operator at any time without a package update. Name impersonation of pino plus a mutable-paste remote-execute channel plus URL obfuscation is an unambiguous supply-chain attack.

Source: amazon-inspector (b976e6ab638a52663d25f360bffec6706dc82991ad27c552788a5a4d785ff89f)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.