VDB
KO

MAL-2026-10410

Malicious code in cookie-phase (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (17bfab347de8288575bca9677b9eb7652b0024cdbffc1efebe387378c243299c) The package presents itself as the popular `pino` logger (README badges, exported `module.exports.pino = middleware`) but its name and metadata are unrelated. When a consumer imports the package and invokes the default export as middleware, `index.js` spawns a detached `node` child running `lib/initializeCaller.js`. That child hides the C2 destination inside base64 constants placed in a fake local `process.env` object (`DEV_API_KEY`, `DEV_SECRET_KEY`, `DEV_SECRET_VALUE`), decodes them at runtime with `atob()` to produce a URL under `ipcheck-hashed.vercel.app/api/auth/...`, POSTs to it via axios, and passes the response body directly to `new Function('require', response.data)(require)`. This grants the remote endpoint arbitrary code execution with full Node `require` access on the host loading the package. The base64 obfuscation of the destination URL and the impersonation of a well-known logger are consistent with a dropper designed to compromise developer and build-system machines that install the package expecting `pino`.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / cookie-phase

No fixed version published yet for cookie-phase (npm). Pin to a known-safe version or switch to an alternative.

References