VDB
KO

MAL-2026-10440

Malicious code in type-context (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6e4db69b627def6f11a74d5948b91006a46a3c73d90081be6f19716133cfaafb) The package presents itself as a pino-style logger (README and keywords reference logging; index.js exports `module.exports.pino = middleware`), but the exported middleware invokes runJobA, which spawns a detached `node lib/caller.js` child with stdio ignored and unref()'d. lib/caller.js fetches a JSON document from an anonymous, mutable pastebin-style host (https://json.extendsclass.com/bin/cddf5a07b53f and https://jsonkeeper.com/b/XRGF3, https://jsonkeeper.com/b/4NAKK) and executes the response body's `.cookie` field as JavaScript via `new Function.constructor('require', s)(require)`, giving the remote endpoint arbitrary code execution in the consumer's Node process with access to require(). The exfil/loader URLs are stored base64-encoded in lib/const.js (e.g. `DEV_API_KEY: 'aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1hSR0Yz'` decodes to https://jsonkeeper.com/b/XRGF3) to hide the destinations from casual inspection. The declared purpose (logging middleware) does not match the actual behavior (remote-fetch-and-eval dropper), and the fetched code is served from anonymous author-mutable hosts with no pinning or integrity check.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / type-context

No fixed version published yet for type-context (npm). Pin to a known-safe version or switch to an alternative.

References