npm

type-swap @3.1.3

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10511

Ecosystem

npm

Summary

The package's declared main entry (index.js) exports a middleware factory that, when invoked by a consumer, spawns lib/caller.js as a detached child process with stdio ignored and unref()'d, concealing it from the parent. lib/caller.js performs an HTTPS GET to https://jsonhosting.com/api/json/e16583b1/raw, extracts a JavaScript payload from a cookie field in the response, and executes it via new Function.constructor("require", s)(require) , granting the remote host arbitrary code execution in the installer's Node process with require bound. Additional remote endpoints (https://jsonkeeper.com/b/XRGF3 in lib/caller.js and https://jsonkeeper.com/b/4NAKK in lib/const.js) are stored base64-encoded under a fake process.env object keyed as DEV_API_KEY , staged for the fetched payload. The package name and README impersonate an unrelated logging library.

Source: amazon-inspector (6db27d60a7dec38dafef8ed810203dc0130cf340eae162410dfcb7b21a4e2658)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.