VDB
KO

MAL-2026-5577

Malicious code in web-pool (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d2b1d78cd3ff0c5eeead299eb670d299590b48a453c9416ae2a692bc4173737c) Requiring web-pool triggers middleware() to spawn a detached `node lib/initializeCaller.js`. That script base64-decodes a hardcoded endpoint (https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df), POSTs the entire `process.env` (CI tokens, npm tokens, AWS_*, GITHUB_TOKEN, arbitrary secrets) to it, and executes the HTTP response body via `new Function('require', response.data)(require)` — granting the attacker arbitrary code execution under the installer's Node process. The C2 URL is hidden behind base64 inside a fake local `process` object that shadows Node's real `process`, an obfuscation pattern designed to defeat static URL scanning. The README masquerades as the `pino` logger (titled `web-corn`, badges and links point to npm pino and pinojs/pino), making this a typosquat lure with a malware loader as its only real behavior.

## Source: ghsa-malware (50ad60f10cd9ca947a6472d933ae092c9a32cc7e75e0ad3a95d1117419a6070a) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / web-pool

No fixed version published yet for web-pool (npm). Pin to a known-safe version or switch to an alternative.

References