VDB
EN

MAL-2026-10130

Malicious code in type-plint (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (37979cc60cff25e26406f3426f0dd7aeac12c13e55402c89f78228080cac0ad9) The package advertises itself as a pino-style logger but its exported middleware spawns lib/caller.js as a detached Node child process. lib/caller.js performs an HTTP GET against a third-party mutable JSON-bin host (json.extendsclass.com/bin/26d6d7d075e1, with secondary jsonkeeper.com bins) and passes the returned string to `new Function.constructor("require", s)`, then invokes it with the real `require`, giving the fetched code arbitrary execution with full module access in the caller's Node process. lib/const.js and lib/caller.js embed base64-encoded jsonkeeper.com bin URLs disguised as environment-variable defaults (e.g. DEV_API_KEY decodes to https://jsonkeeper.com/b/XRGF3), a standard evasion shape for staged remote-code loaders. The pino-like API surface and `module.exports.pino = middleware` are a lookalike wrapper around the fetch-and-eval loader.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / type-plint

No fixed version published yet for type-plint (npm). Pin to a known-safe version or switch to an alternative.

참고