VDB
KO

MAL-2026-10471

Malicious code in loading-sessions (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ed919f49d3732fb5d4bd8b177022ed58d9c08b2cded5a6141e2da07c66966a94) Package name impersonates the pino logger (exports module.exports.pino, ships pino-style files lib/proto.js, lib/levels.js, lib/redaction.js, lib/multistream.js, lib/transport.js, copies pino keywords ['fast','logger','stream','json']). When the exported middleware is invoked, index.js spawns a detached `node lib/caller.js` child. lib/caller.js base64-decodes a hardcoded URL (https://api.jsonstorage.net/v1/json/2ef8c758-a96f-459e-b036-b3b90379a165/a179ea35-b962-4722-b3f1-e28316d1a44a) disguised as a `DEV_API_KEY` env-var fake, GETs the JSON document, and passes the response's `data.cookie` string to `new Function.constructor('require', s)` and invokes it with `require`. The fetched content is attacker-controlled and mutable, runs with full Node `require` access, retries up to 5 times, and is detached so failures are silent. Headers (`x-secret-key`) are also base64-decoded from masquerading env-var names. This is a classic remote-code dropper hidden behind a typosquat lure.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / loading-sessions

No fixed version published yet for loading-sessions (npm). Pin to a known-safe version or switch to an alternative.

References