MAL-2026-10077
Malicious code in type-slint (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (1b5cd26e040f4f4366ed65cca4b70258d276f781e0aab76b99b5573d4007a97d) The npm package type-slint@3.3.7 masquerades as the pino logger (copied module layout, exports as module.exports.pino, keywords fast/logger/stream/json). Its index.js middleware() function spawns lib/caller.js as a detached, stdio-ignored child (spawn('node', [script,...], { detached: true, stdio: 'ignore' }); child.unref()), so the loader persists after the parent Node process exits. lib/caller.js fetches JavaScript from a Pinata IPFS gateway URL (bronze-improved-gibbon-411.mypinata.cloud/ipfs/bafkreigjnxn5vnn34rc5r43ajwwkmk4akqpm4awmq5gdhakgszpeqiffsu) and evaluates the response body's.cookie field via new Function.constructor('require', s)(require), passing require in — this grants the fetched code full Node capabilities (filesystem, network, child_process, env). The fetch retries up to 5 times and console.log is restored to suppress traces. lib/caller.js and lib/const.js also carry base64-encoded strings labelled DEV_API_KEY that decode to jsonkeeper.com paste URLs (jsonkeeper.com/b/XRGF3, jsonkeeper.com/b/4NAKK), stored on a shadowed process object as a secondary configuration channel. The remote payload is attacker-controlled and mutable, and the executed content is fully attacker-defined at runtime.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for type-slint (npm). Pin to a known-safe version or switch to an alternative.