VDB
KO

MAL-2026-7009

Malicious code in configration (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3255dd4ea4a24b3e000f6a8aadb9a022bc9aed07507124a595dd42ef0b429d6e) The package impersonates the `pino` logger (README badges, `module.exports.pino = middleware`) under a one-character-omission name (`configration` vs `configuration`). When a consumer requires the package and invokes the exported middleware factory, `index.js` detaches a child process running `lib/initializeCaller.js`. That child decodes a base64-obfuscated URL stored under decoy field names (`DEV_API_KEY`, `DEV_SECRET_KEY`) inside a locally shadowed `process` object, resolving to `https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df`. It POSTs the entire spread `process.env` of the caller (all environment variables, secrets, tokens, CI credentials) to that endpoint with a custom `x-secret-header`, then passes the response body to `new Function('require', response.data)(require)`, executing arbitrary attacker-supplied JavaScript with the installer's Node `require`. This is a combined credential exfiltration + remote-code-execution channel gated only by requiring/loading the module.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / configration

No fixed version published yet for configration (npm). Pin to a known-safe version or switch to an alternative.

References