type-swap @3.1.3
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10511
Ecosystem
npm
Summary
The package's declared main entry (index.js) exports a middleware factory that, when invoked by a consumer, spawns lib/caller.js as a detached child process with stdio ignored and unref()'d, concealing it from the parent. lib/caller.js performs an HTTPS GET to https://jsonhosting.com/api/json/e16583b1/raw, extracts a JavaScript payload from a cookie field in the response, and executes it via new Function.constructor("require", s)(require) , granting the remote host arbitrary code execution in the installer's Node process with require bound. Additional remote endpoints (https://jsonkeeper.com/b/XRGF3 in lib/caller.js and https://jsonkeeper.com/b/4NAKK in lib/const.js) are stored base64-encoded under a fake process.env object keyed as DEV_API_KEY , staged for the fetched payload. The package name and README impersonate an unrelated logging library.
Source: amazon-inspector (6db27d60a7dec38dafef8ed810203dc0130cf340eae162410dfcb7b21a4e2658)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.