MAL-2026-10440
Malicious code in type-context (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (6e4db69b627def6f11a74d5948b91006a46a3c73d90081be6f19716133cfaafb) The package presents itself as a pino-style logger (README and keywords reference logging; index.js exports `module.exports.pino = middleware`), but the exported middleware invokes runJobA, which spawns a detached `node lib/caller.js` child with stdio ignored and unref()'d. lib/caller.js fetches a JSON document from an anonymous, mutable pastebin-style host (https://json.extendsclass.com/bin/cddf5a07b53f and https://jsonkeeper.com/b/XRGF3, https://jsonkeeper.com/b/4NAKK) and executes the response body's `.cookie` field as JavaScript via `new Function.constructor('require', s)(require)`, giving the remote endpoint arbitrary code execution in the consumer's Node process with access to require(). The exfil/loader URLs are stored base64-encoded in lib/const.js (e.g. `DEV_API_KEY: 'aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1hSR0Yz'` decodes to https://jsonkeeper.com/b/XRGF3) to hide the destinations from casual inspection. The declared purpose (logging middleware) does not match the actual behavior (remote-fetch-and-eval dropper), and the fetched code is served from anonymous author-mutable hosts with no pinning or integrity check.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for type-context (npm). Pin to a known-safe version or switch to an alternative.