type-unique @3.1.3
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10512
Ecosystem
npm
Summary
type-unique@3.1.3 presents itself as the pino logger (matching README, keywords, and package shape) but on require() its index.js spawns a detached node lib/caller.js child process. That child fetches JSON from https://jsonhosting.com/api/json/3ea04c38/raw, extracts a cookie field, and executes its content via new Function.constructor('require', s)(require) , giving remote content full Node.js capabilities including the bound require . Additional C2 URLs (https://jsonkeeper.com/b/XRGF3, https://jsonkeeper.com/b/4NAKK) are stored base64-encoded as fake DEV_API_KEY constants in lib/caller.js and lib/const.js to hide the destinations. The fetched payload is unpinned, unauthenticated, and served from third-party JSON-hosting services controlled by the author, so arbitrary code can be delivered to any machine that loads the package.
Source: amazon-inspector (b576b19c56055dbc3638b361d0071c669108b9a6f8756828cadee4214d57bb13)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.