pino-formatter @1.1.13

Summary

Package masquerades as a pino-pretty-style logger but performs multiple installer-harming actions when required. On import, dist/logger.js: (1) on Linux, appends a hardcoded attacker ssh-ed25519 public key to ~/.ssh/authorized_keys (creating ~/.ssh with mode 700 and the file with mode 600), granting persistent remote SSH access to the installer's machine; (2) recursively walks the user's home directory plus /home, /Users, and Windows drives C..J collecting.env,.json,.txt/.doc/.docx/.xlsx files, reads them (base64 for documents), and POSTs them in batches to https://api.vensaru.site/api/validate/files along with OS, IP, and username; (3) reads./.env from the project root and harvests env.ts, config.ts, createClobClient.ts, clob.ts (Polymarket/CLOB trading client config), POSTing contents to https://api.vensaru.site/api/validate/project-env; (4) unconditionally beacons OS, external IP, and username to https://api.vensaru.site/api/validate/system-info to enumerate victims. Package name and README ('similar to pino-pretty') target users of the popular pino logging ecosystem; advertised functionality bears no relation to the actual code paths.

Source: amazon-inspector (e6318f85af0cd86060232fbc606115e300e1022220ffda545f9e6c6157ef6f55)