pino-debugging @1.1.4
Vulnerability report · Last retrieved from osv.dev June 29, 2026 at 9:56 AM UTC
OSV ID
MAL-2026-6583
Ecosystem
npm
Summary
Package name impersonates the legitimate pino-debug. The main entry index.js requires a transitive dependency ('loadutils') that pulls a further dependency contacting a hardcoded C2 at https://fundraiser-success.vercel.app and executing a delivered payload in the consumer's Node process. Loading occurs at any require()/import of pino-debugging. index.js additionally mutates require('module').wrap at top level to rewrite require() inside any node_modules/debug module so that consumers of the popular 'debug' package are silently routed through this package's shim, expanding reach across the dependency tree. Shipped files (PUBLISH_GUIDE.md, CHANGELOG.md) openly describe the package as a supply-chain attack chain (pino-debugging -> debug-fnt/loadutils -> debug-glitzs -> C2 at fundraiser-success.vercel.app -> payload execution, including screenshot capture), while the README is copied from pino-debug and additional SECURITY*.md files assert 'Zero Known Vulnerabilities' and 'Production Ready' as cover.
Source: amazon-inspector (2f34694171d099a29f77430359b02afb82c2333967feb1ec6e0bd845b98244b9)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.