OSV ID
MAL-2026-6098
Ecosystem
npm
Summary
On require(), lib/writer.js (loaded transitively from the package's main pino.js) collects the installer's full process.env together with host identifiers (os.hostname, os.userInfo().username, os.platform(), and external MAC addresses) into a data object, then performs an unconditional axios GET to https://www.jsonkeeper.com/b/MYUKZ and passes the response body through eval(). A second hex-obfuscated jsonkeeper.com URL (https://www.jsonkeeper.com/b/HY6M6) is also staged in the same file. jsonkeeper.com is an anonymous, user-editable JSON paste host, so the eval'd payload is mutable attacker-controlled content with closure access to the staged environment dump — a complete credential-exfiltration + remote-code-execution channel that fires on every consumer that imports the package. The package masquerades as the pino logger: it declares main=pino.js, homepage=https://getpino.io, replicates pino's writer/proto/levels/transport API surface, and ships pino-branded images, while the package name 'stackus' is unrelated to pino.
Source: amazon-inspector (0a8032b910c8971e79e7d8b0e250ce4d61fd2a2206d6b319a5aed50e32490456)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.