VDB
KO

MAL-2026-10164

Malicious code in type-async (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d064750b4e3821d296d538ea749483e3f9cd54299645fc1c895e5c1af3639b5d) The package presents itself as pino (typosquat; README mirrors pino). The main entry `index.js` exports a middleware factory that, on invocation, spawns `lib/caller.js` as a detached Node child process. `lib/caller.js` performs an HTTPS GET against a remote JSON pastebin (https://json.extendsclass.com/bin/250fca079abb), extracts the `.cookie` field of the response, and passes it to `new Function.constructor("require", s)`, then invokes the resulting function with the host's `require` binding — giving whoever controls the pastebin arbitrary code execution on the machine that loaded the package, with full Node module access. Alternate payload URLs on jsonkeeper.com (https://jsonkeeper.com/b/XRGF3, https://jsonkeeper.com/b/4NAKK) are stored base64-encoded inside fake `process.env` objects in `lib/caller.js` and `lib/const.js` under a `DEV_API_KEY` key, obscuring the destination hosts from casual inspection. The fetched content is unpinned and mutable, the destinations are anonymous paste services unrelated to the package's advertised logging purpose, and the payload is executed with no integrity verification.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / type-async

No fixed version published yet for type-async (npm). Pin to a known-safe version or switch to an alternative.

References