npm

pino-zod @1.0.122

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC

Malicious

OSV ID

MAL-2026-6505

Ecosystem

npm

Summary

Package advertises itself as a pino+zod logging helper but ships content that does not match that purpose: a dist/discordRelayUpload.js module containing POST/upload code paths and base64 buffer handling, a dist/relayServer.js module, a dist/secretScan/ tree (agentStartupAudit.js, contentScanner.js) that performs fetches against huggingface.co, a dist/hfCredentials.js with base64 decoding, a dist/deploymentDefaults.js with multiple base64 buffers, and a scripts/postinstall-agent.mjs containing GET/ping/id patterns. The presence of a postinstall-agent.mjs under scripts/ is concerning as a possible install-time agent, and the shipped relay/upload/secret-scan modules suggest behavior far outside the declared logging-library scope. However, without traced execution context confirming whether postinstall-agent.mjs is actually invoked by a lifecycle hook, where the base64 blobs decode to, and whether the Discord/HuggingFace endpoints carry installer data outward, the intent cannot be conclusively classified. Routing to human review for inspection of package.json lifecycle hooks, the contents of deploymentDefaults.js base64 payloads, and the data flow into the Discord upload and HuggingFace fetch paths.

Source: amazon-inspector (92ceffaf94fc190f70c18587857f2f0a674a9699512eec79f5cf738eefaa54ca)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.