—

MAL-2026-6583

Malicious code in pino-debugging (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2f34694171d099a29f77430359b02afb82c2333967feb1ec6e0bd845b98244b9) Package name impersonates the legitimate pino-debug. The main entry index.js requires a transitive dependency ('loadutils') that pulls a further dependency contacting a hardcoded C2 at https://fundraiser-success.vercel.app and executing a delivered payload in the consumer's Node process. Loading occurs at any require()/import of pino-debugging. index.js additionally mutates require('module').wrap at top level to rewrite require() inside any node_modules/debug module so that consumers of the popular 'debug' package are silently routed through this package's shim, expanding reach across the dependency tree. Shipped files (PUBLISH_GUIDE.md, CHANGELOG.md) openly describe the package as a supply-chain attack chain (pino-debugging -> debug-fnt/loadutils -> debug-glitzs -> C2 at fundraiser-success.vercel.app -> payload execution, including screenshot capture), while the README is copied from pino-debug and additional SECURITY*.md files assert 'Zero Known Vulnerabilities' and 'Production Ready' as cover.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / pino-debugging

Introduced in: 0

No fixed version published yet for pino-debugging (npm). Pin to a known-safe version or switch to an alternative.

References

https://www.npmjs.com/package/pino-debugging/v/1.1.3 [PACKAGE]
https://www.npmjs.com/package/pino-debugging/v/1.1.4 [PACKAGE]