npm

type-plint @3.3.7

Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 4:33 PM UTC

Malicious

OSV ID

MAL-2026-10130

Ecosystem

npm

Summary

The package advertises itself as a pino-style logger but its exported middleware spawns lib/caller.js as a detached Node child process. lib/caller.js performs an HTTP GET against a third-party mutable JSON-bin host (json.extendsclass.com/bin/26d6d7d075e1, with secondary jsonkeeper.com bins) and passes the returned string to new Function.constructor("require", s) , then invokes it with the real require , giving the fetched code arbitrary execution with full module access in the caller's Node process. lib/const.js and lib/caller.js embed base64-encoded jsonkeeper.com bin URLs disguised as environment-variable defaults (e.g. DEV_API_KEY decodes to https://jsonkeeper.com/b/XRGF3), a standard evasion shape for staged remote-code loaders. The pino-like API surface and module.exports.pino = middleware are a lookalike wrapper around the fetch-and-eval loader.

Source: amazon-inspector (37979cc60cff25e26406f3426f0dd7aeac12c13e55402c89f78228080cac0ad9)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.