npm

type-context @3.2.11

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10440

Ecosystem

npm

Summary

The package presents itself as a logger (module.exports.pino, keywords fast/logger/stream/json, pino-like sibling files proto.js/multistream.js/transport.js/redaction.js) despite being named type-context. When a consumer imports the package and invokes its middleware factory, lib/caller.js is executed as a detached Node child process. That script fetches JSON from a hardcoded remote endpoint (https://jsonhosting.com/api/json/fb84ebf4/raw), extracts a 'cookie' field from the response, and passes the value to new Function.constructor('require', s)(require), executing attacker-controlled JavaScript with the real Node require injected — full module-loader privileges on the host. Fallback destinations are base64-encoded in a shadowed local process.env object labeled DEV_API_KEY, decoding to jsonkeeper.com paste URLs (https://jsonkeeper.com/b/XRGF3, https://jsonkeeper.com/b/4NAKK); this obfuscation of network destinations paired with the dynamic-code sink shows intent to evade casual review. The remote body is mutable and hosted on anonymous paste-style infrastructure, so any code the attacker chooses is executed on the installer/host.

Source: amazon-inspector (5c6706d0ad662da8d23eaf47c64780a777f3ec215d8864caf1e0962289463efb)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.