-= Per source details. Do not edit below this line.=-
Package name impersonates the pino logger (exports module.exports.pino, ships pino-style files lib/proto.js, lib/levels.js, lib/redaction.js, lib/multistream.js, lib/transport.js, copies pino keywords ['fast','logger','stream','json']). When the exported middleware is invoked, index.js spawns a detached node lib/caller.js child. lib/caller.js base64-decodes a hardcoded URL (https://api.jsonstorage.net/v1/json/2ef8c758-a96f-459e-b036-b3b90379a165/a179ea35-b962-4722-b3f1-e28316d1a44a) disguised as a DEV_API_KEY env-var fake, GETs the JSON document, and passes the response's data.cookie string to new Function.constructor('require', s) and invokes it with require. The fetched content is attacker-controlled and mutable, runs with full Node require access, retries up to 5 times, and is detached so failures are silent. Headers (x-secret-key) are also base64-decoded from masquerading env-var names. This is a classic remote-code dropper hidden behind a typosquat lure.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-13T18:54:09Z",
"versions": [
"6.13.2"
],
"sha256": "ed919f49d3732fb5d4bd8b177022ed58d9c08b2cded5a6141e2da07c66966a94",
"import_time": "2026-07-13T19:00:27.307313594Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-010290"
}
]
}{
"evidence_files": [
{
"tlsh": "1b01af9934fe541c015112e9171fa1326050e4673d86e6c83b4c87129fa667e6e93adf",
"sha256": "37e9dde0f35864e2ea8dcd4c8b5324ef50e3798195d04c30ba6938352af702db",
"path": "lib/caller.js"
},
{
"tlsh": "5d213c81b9f11188065cd9c8b569e53a38e3c4377207b9b0e9ec87862bcf2080272ad7",
"sha256": "2956b023858d706a5e241cd28b845088e5f414c5f70bd5d8cb73cb427d081065",
"path": "index.js"
}
],
"package_integrity": [
{
"hashes": {
"sha1": "277bc3b8cbccebcc3855a115cdac0aca086d5592",
"sha512_sri": "sha512-3wpv2/9u/m09IGUZbUi4yockVcbtTE/djxJux3Qf4yLJmUXO1q8TClJTz2VtDKzrF1QHVeQqgM/UrASgFdYLNw=="
},
"filename": "loading-sessions-6.13.2.tgz"
}
]
}
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/loading-sessions/MAL-2026-10471.json"