MAL-2026-5994

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (2a205cee3f545c9dd5083055f8dad50c5e131603bf50d37bbb3f7ef5a744d88f) ts-webplug@3.0.5 impersonates the pino logger (exports named `pino`, lib/ tree mirroring pino's file layout, keywords fast/logger/stream/json) but its main export wires consumers into a remote-code-execution dropper. index.js's `middleware` export spawns a detached `node lib/caller.js` (`spawn('node', [...], { detached: true, stdio: 'ignore' })` followed by `child.unref()`) so the child survives the parent. caller.js then fetches JavaScript from https://jsonkeeper.com/b/U2BTS (an anonymous, mutable JSON-paste host) and executes the response's `cookie` field with `new Function.constructor('require', s); handler(require)`, granting the remote payload full Node `require()` access on the installer's machine. Decoy `process.env` strings (DEV_API_KEY etc.) base64-decode to additional jsonkeeper.com URLs. The harm fires whenever a consumer imports the package and invokes the default/`pino`-named middleware — a path developers reach immediately when they install what they believe is a pino-shaped logger.