pino-debugging @1.1.5
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 10:29 PM UTC
OSV ID
MAL-2026-6583
Ecosystem
npm
Summary
Package name 'pino-debugging' is a single-edit typosquat of the legitimate 'pino-debug'. The shipped index.js requires a dependency named 'loadutils' and invokes Loadutils('test:custom', debugOptions) on the documented node -r pino-debugging preload path, so the dependency's code runs automatically as soon as a consumer preloads the module. A PUBLISH_GUIDE.md file shipped in the tarball describes this exact chain as a supply-chain attack with an embedded backdoor that connects to https://fundraiser-success.vercel.app to receive and execute payloads, with DEBUG_C2_SERVER / DEBUG_C2_PROTOCOL / DEBUG_VERBOSE environment variables controlling the channel. The package.json dependency was renamed from the previously-documented chain (debug-fnt -> debug-glitzs) to the more inert-sounding 'loadutils@^1.0.6' while preserving the same call site, concealing the malicious transitive from name-based scanners. Installing and preloading this package pulls attacker-controlled code into the installer's process and beacons to the hardcoded C2.
Source: amazon-inspector (83f0ecc81a618444e701cf5302ced1fa1e92aadc8df2ae2821d2a94a30683d9d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.