pino-zod @1.0.122
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC
OSV ID
MAL-2026-6505
Ecosystem
npm
Summary
Package advertises itself as a pino+zod logging helper but ships content that does not match that purpose: a dist/discordRelayUpload.js module containing POST/upload code paths and base64 buffer handling, a dist/relayServer.js module, a dist/secretScan/ tree (agentStartupAudit.js, contentScanner.js) that performs fetches against huggingface.co, a dist/hfCredentials.js with base64 decoding, a dist/deploymentDefaults.js with multiple base64 buffers, and a scripts/postinstall-agent.mjs containing GET/ping/id patterns. The presence of a postinstall-agent.mjs under scripts/ is concerning as a possible install-time agent, and the shipped relay/upload/secret-scan modules suggest behavior far outside the declared logging-library scope. However, without traced execution context confirming whether postinstall-agent.mjs is actually invoked by a lifecycle hook, where the base64 blobs decode to, and whether the Discord/HuggingFace endpoints carry installer data outward, the intent cannot be conclusively classified. Routing to human review for inspection of package.json lifecycle hooks, the contents of deploymentDefaults.js base64 payloads, and the data flow into the Discord upload and HuggingFace fetch paths.
Source: amazon-inspector (92ceffaf94fc190f70c18587857f2f0a674a9699512eec79f5cf738eefaa54ca)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.