MAL-2026-10410
Malicious code in cookie-phase (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (17bfab347de8288575bca9677b9eb7652b0024cdbffc1efebe387378c243299c) The package presents itself as the popular `pino` logger (README badges, exported `module.exports.pino = middleware`) but its name and metadata are unrelated. When a consumer imports the package and invokes the default export as middleware, `index.js` spawns a detached `node` child running `lib/initializeCaller.js`. That child hides the C2 destination inside base64 constants placed in a fake local `process.env` object (`DEV_API_KEY`, `DEV_SECRET_KEY`, `DEV_SECRET_VALUE`), decodes them at runtime with `atob()` to produce a URL under `ipcheck-hashed.vercel.app/api/auth/...`, POSTs to it via axios, and passes the response body directly to `new Function('require', response.data)(require)`. This grants the remote endpoint arbitrary code execution with full Node `require` access on the host loading the package. The base64 obfuscation of the destination URL and the impersonation of a well-known logger are consistent with a dropper designed to compromise developer and build-system machines that install the package expecting `pino`.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for cookie-phase (npm). Pin to a known-safe version or switch to an alternative.