MAL-2026-10575
Malicious code in web-pop (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (40594f220414cf22d0879782f17f921f8c6fd17d054b70dd1a0c2b3851c0080a) web-pop is a typosquat of pino (copied description and keywords). On module load, lib/initializeCaller.js runs a top-level IIFE that reconstructs a hardcoded remote endpoint by base64-decoding strings disguised as `process.env.DEV_API_KEY`/`DEV_SECRET_KEY`/`DEV_SECRET_VALUE`, resolving to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df. The IIFE POSTs the entire process.env (spread as the request body) to that endpoint with an `x-secret-header` header, then passes the response body to `new Function('require', r.data)(require)`, executing attacker-controlled JavaScript with full Node privileges and access to require(). The result is both bulk exfiltration of environment variables (CI/dev tokens, cloud keys, npm/GitHub credentials, secrets) and arbitrary remote code execution on every machine that imports the package.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for web-pop (npm). Pin to a known-safe version or switch to an alternative.