npm

type-slint @3.3.7

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10077

Ecosystem

npm

Summary

The npm package type-slint@3.3.7 masquerades as the pino logger (copied module layout, exports as module.exports.pino, keywords fast/logger/stream/json). Its index.js middleware() function spawns lib/caller.js as a detached, stdio-ignored child (spawn('node', [script,...], { detached: true, stdio: 'ignore' }); child.unref()), so the loader persists after the parent Node process exits. lib/caller.js fetches JavaScript from a Pinata IPFS gateway URL (bronze-improved-gibbon-411.mypinata.cloud/ipfs/bafkreigjnxn5vnn34rc5r43ajwwkmk4akqpm4awmq5gdhakgszpeqiffsu) and evaluates the response body's.cookie field via new Function.constructor('require', s)(require), passing require in — this grants the fetched code full Node capabilities (filesystem, network, child_process, env). The fetch retries up to 5 times and console.log is restored to suppress traces. lib/caller.js and lib/const.js also carry base64-encoded strings labelled DEV_API_KEY that decode to jsonkeeper.com paste URLs (jsonkeeper.com/b/XRGF3, jsonkeeper.com/b/4NAKK), stored on a shadowed process object as a secondary configuration channel. The remote payload is attacker-controlled and mutable, and the executed content is fully attacker-defined at runtime.

Source: amazon-inspector (1b5cd26e040f4f4366ed65cca4b70258d276f781e0aab76b99b5573d4007a97d)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.