OSV ID
MAL-2026-10575
Ecosystem
npm
Summary
web-pop is a typosquat of pino (copied description and keywords). On module load, lib/initializeCaller.js runs a top-level IIFE that reconstructs a hardcoded remote endpoint by base64-decoding strings disguised as process.env.DEV_API_KEY / DEV_SECRET_KEY / DEV_SECRET_VALUE , resolving to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df. The IIFE POSTs the entire process.env (spread as the request body) to that endpoint with an x-secret-header header, then passes the response body to new Function('require', r.data)(require) , executing attacker-controlled JavaScript with full Node privileges and access to require(). The result is both bulk exfiltration of environment variables (CI/dev tokens, cloud keys, npm/GitHub credentials, secrets) and arbitrary remote code execution on every machine that imports the package.
Source: amazon-inspector (40594f220414cf22d0879782f17f921f8c6fd17d054b70dd1a0c2b3851c0080a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.