tslint-conf @7.2.1
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 1:25 AM UTC
OSV ID
MAL-2026-7022
Ecosystem
npm
Summary
The package presents itself as the pino logger (README, index.d.ts, docs/, and lib/ files all reference pinojs/pino) but is published under the unrelated name tslint-conf . Its default export is an Express-style middleware factory whose invocation synchronously calls runJobA , which uses child_process.spawn("node", ["lib/caller.js",...], { detached: true, stdio: "ignore" }) followed by child.unref() to launch a hidden background worker. lib/caller.js performs axios.get against https://peach-eligible-penguin-917.mypinata.cloud/ipfs/bafkreigjnxn5vnn34rc5r43ajwwkmk4akqpm4awmq5gdhakgszpeqiffsu , takes the response body, and passes it to new Function.constructor("require", s) then invokes the resulting function with require , granting the fetched code full Node.js capabilities on the host. The remote content is attacker-controlled (Pinata account under the operator's control), unpinned by hash/signature, and executed unconditionally on every use of the middleware. Combined with the pino cover story, any consumer misled into using this package as their logger triggers remote code execution.
Source: amazon-inspector (31b464b1646f8e2d36ce68a86af599cc49d5381f08af70302ff01f42957234a1)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.