VDB
KO

MAL-2026-10130

Malicious code in type-plint (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (37979cc60cff25e26406f3426f0dd7aeac12c13e55402c89f78228080cac0ad9) The package advertises itself as a pino-style logger but its exported middleware spawns lib/caller.js as a detached Node child process. lib/caller.js performs an HTTP GET against a third-party mutable JSON-bin host (json.extendsclass.com/bin/26d6d7d075e1, with secondary jsonkeeper.com bins) and passes the returned string to `new Function.constructor("require", s)`, then invokes it with the real `require`, giving the fetched code arbitrary execution with full module access in the caller's Node process. lib/const.js and lib/caller.js embed base64-encoded jsonkeeper.com bin URLs disguised as environment-variable defaults (e.g. DEV_API_KEY decodes to https://jsonkeeper.com/b/XRGF3), a standard evasion shape for staged remote-code loaders. The pino-like API surface and `module.exports.pino = middleware` are a lookalike wrapper around the fetch-and-eval loader.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / type-plint

No fixed version published yet for type-plint (npm). Pin to a known-safe version or switch to an alternative.

References