-= Per source details. Do not edit below this line.=-
The package advertises itself as a pino-style logger but its exported middleware spawns lib/caller.js as a detached Node child process. lib/caller.js performs an HTTP GET against a third-party mutable JSON-bin host (json.extendsclass.com/bin/26d6d7d075e1, with secondary jsonkeeper.com bins) and passes the returned string to new Function.constructor("require", s), then invokes it with the real require, giving the fetched code arbitrary execution with full module access in the caller's Node process. lib/const.js and lib/caller.js embed base64-encoded jsonkeeper.com bin URLs disguised as environment-variable defaults (e.g. DEVAPIKEY decodes to https://jsonkeeper.com/b/XRGF3), a standard evasion shape for staged remote-code loaders. The pino-like API surface and module.exports.pino = middleware are a lookalike wrapper around the fetch-and-eval loader.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"malicious-packages-origins": [
{
"sha256": "37979cc60cff25e26406f3426f0dd7aeac12c13e55402c89f78228080cac0ad9",
"id": "IN-MAL-2026-009611",
"import_time": "2026-07-10T15:23:36.869836521Z",
"modified_time": "2026-07-10T15:17:48Z",
"versions": [
"3.3.7"
],
"source": "amazon-inspector"
},
{
"sha256": "03a124b9fdf68baca03f8e109847668f7265163746492e8fb234cf1822a4464a",
"id": "GHSA-8mhh-r4mc-2293",
"import_time": "2026-07-10T20:45:17.761323894Z",
"modified_time": "2026-07-10T20:36:54Z",
"versions": [
"3.3.7"
],
"source": "ghsa-malware"
}
]
}{
"evidence_files": [
{
"sha256": "cfb5d9e644285bd872d3fa1921a279a29e2b0b47beaa5fe746c60287aa9e084f",
"tlsh": "fe017b8a30fe605c455510f64b1fb4317012e4173c8aeac53b8c83514fea9ae6973afd",
"path": "lib/caller.js"
},
{
"tlsh": "5d213c81b9f11188065cd9c8b569e53a38e3c4377207b9b0e9ec87862bcf2080272ad7",
"sha256": "2956b023858d706a5e241cd28b845088e5f414c5f70bd5d8cb73cb427d081065",
"path": "index.js"
}
],
"package_integrity": [
{
"filename": "type-plint-3.3.7.tgz",
"hashes": {
"sha512_sri": "sha512-3Jkm55u7ogaYqd4julcp3vN1dq/nE/oqxs2Iy6IVsYOJLy4MQT/XeRxqA3yS7PGsSjDi7JomEtqua7lphpdRqA==",
"sha1": "b9e574918230ef3dee7c9436816ee179dc4cbb8f"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/type-plint/MAL-2026-10130.json"