VDB
KO

MAL-2026-10575

Malicious code in web-pop (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (40594f220414cf22d0879782f17f921f8c6fd17d054b70dd1a0c2b3851c0080a) web-pop is a typosquat of pino (copied description and keywords). On module load, lib/initializeCaller.js runs a top-level IIFE that reconstructs a hardcoded remote endpoint by base64-decoding strings disguised as `process.env.DEV_API_KEY`/`DEV_SECRET_KEY`/`DEV_SECRET_VALUE`, resolving to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df. The IIFE POSTs the entire process.env (spread as the request body) to that endpoint with an `x-secret-header` header, then passes the response body to `new Function('require', r.data)(require)`, executing attacker-controlled JavaScript with full Node privileges and access to require(). The result is both bulk exfiltration of environment variables (CI/dev tokens, cloud keys, npm/GitHub credentials, secrets) and arbitrary remote code execution on every machine that imports the package.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / web-pop

No fixed version published yet for web-pop (npm). Pin to a known-safe version or switch to an alternative.

References