npm

ts-webplug @3.0.8

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-5994

Ecosystem

npm

Summary

The package impersonates the pino logger (README titled 'chai-mocks', badges linking to pinojs/pino, module export named pino ) while its actual package name ts-webplug is unrelated. When a consumer requires the package and invokes its exported middleware, index.js spawns lib/caller.js as a detached Node child process. lib/caller.js performs axios.get(...) against https://jsonhosting.com/api/json/9343c2ce/raw, extracts the cookie field from the response, and passes it to new Function.constructor('require', s)(require) — evaluating attacker-controlled JavaScript with full require access in the consumer's Node process. The remote URL is additionally concealed in a spoofed process.env object where DEV_API_KEY is a base64 blob decoding to a jsonkeeper.com URL (a second mutable, anonymous-host pointer in lib/const.js decodes to https://jsonkeeper.com/b/4NAKK). The fetch host is a mutable anonymous paste service — today's payload can be swapped for anything at any time — and the executed code runs with full Node privileges on the installer/consumer machine.

Source: amazon-inspector (a120eb8e3f6ca34493b7f282544523ab60137e8388148b191f46cda094e50789)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.