npm

type-astr @3.2.3

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10510

Ecosystem

npm

Summary

The package presents itself as a pino-compatible logger (exports a middleware aliased as pino , ships pino-like files such as proto.js, redaction.js, multistream.js, transport.js) but its actual runtime effect is to launch a remote code loader. Requiring the package invokes a middleware factory that spawns a detached Node child process running lib/caller.js. That script decodes a base64-encoded URL constant (DEV_API_KEY = "aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1hSR0Yz" → https://jsonkeeper.com/b/XRGF3; additional endpoints include https://jsonkeeper.com/b/4NAKK and https://jsonhosting.com/api/json/f1a66ab0/raw), fetches the JSON document via axios, extracts a cookie field, and passes its contents to new Function.constructor("require", s)(require) , executing attacker-controlled JavaScript in the installer's Node process with full require access. The remote endpoints are anonymous paste-style hosts whose content can be changed by whoever controls the paste at any time.

Source: amazon-inspector (89817054cec44ec8ba09dd26af025483096055c0a931172bd4a63910dceb87fc)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.