MAL-2026-10164

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/type-async/MAL-2026-10164.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10164
Published
2026-07-10T17:50:03Z
Modified
2026-07-10T18:16:50.177161183Z
Summary
Malicious code in type-async (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d064750b4e3821d296d538ea749483e3f9cd54299645fc1c895e5c1af3639b5d)

The package presents itself as pino (typosquat; README mirrors pino). The main entry index.js exports a middleware factory that, on invocation, spawns lib/caller.js as a detached Node child process. lib/caller.js performs an HTTPS GET against a remote JSON pastebin (https://json.extendsclass.com/bin/250fca079abb), extracts the .cookie field of the response, and passes it to new Function.constructor("require", s), then invokes the resulting function with the host's require binding — giving whoever controls the pastebin arbitrary code execution on the machine that loaded the package, with full Node module access. Alternate payload URLs on jsonkeeper.com (https://jsonkeeper.com/b/XRGF3, https://jsonkeeper.com/b/4NAKK) are stored base64-encoded inside fake process.env objects in lib/caller.js and lib/const.js under a DEV_API_KEY key, obscuring the destination hosts from casual inspection. The fetched content is unpinned and mutable, the destinations are anonymous paste services unrelated to the package's advertised logging purpose, and the payload is executed with no integrity verification.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "d064750b4e3821d296d538ea749483e3f9cd54299645fc1c895e5c1af3639b5d",
            "id": "IN-MAL-2026-009689",
            "import_time": "2026-07-10T18:05:59.615449027Z",
            "modified_time": "2026-07-10T17:50:03Z",
            "versions": [
                "3.3.7"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / type-async

Package

Affected ranges

Affected versions

3.*
3.3.7

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "type-async-3.3.7.tgz",
            "hashes": {
                "sha512_sri": "sha512-9z8R0ap/2TvI5aGW6r7IR9QsekTlco00JU/I7IXeEmLBLdWrlHFGrR1Wov7rCK+x4uk0dW4KVN3DmQtJ9zEMMA==",
                "sha1": "28a97f0eb3168996a8931034622e8db580d2b02f"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "79017b8a30fa605c055514f64b1fb0327012e4173c49ead53b9c83514fea9ae6963afd",
            "sha256": "99571c942ae0f86195f34f81c92a71e461e09504d714b71fda27075b4cfd5dfb",
            "path": "lib/caller.js"
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/type-async/MAL-2026-10164.json"