MAL-2026-10471

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/loading-sessions/MAL-2026-10471.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10471
Published
2026-07-13T18:54:09Z
Modified
2026-07-13T19:16:56.017992629Z
Summary
Malicious code in loading-sessions (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ed919f49d3732fb5d4bd8b177022ed58d9c08b2cded5a6141e2da07c66966a94)

Package name impersonates the pino logger (exports module.exports.pino, ships pino-style files lib/proto.js, lib/levels.js, lib/redaction.js, lib/multistream.js, lib/transport.js, copies pino keywords ['fast','logger','stream','json']). When the exported middleware is invoked, index.js spawns a detached node lib/caller.js child. lib/caller.js base64-decodes a hardcoded URL (https://api.jsonstorage.net/v1/json/2ef8c758-a96f-459e-b036-b3b90379a165/a179ea35-b962-4722-b3f1-e28316d1a44a) disguised as a DEV_API_KEY env-var fake, GETs the JSON document, and passes the response's data.cookie string to new Function.constructor('require', s) and invokes it with require. The fetched content is attacker-controlled and mutable, runs with full Node require access, retries up to 5 times, and is detached so failures are silent. Headers (x-secret-key) are also base64-decoded from masquerading env-var names. This is a classic remote-code dropper hidden behind a typosquat lure.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-13T18:54:09Z",
            "versions": [
                "6.13.2"
            ],
            "sha256": "ed919f49d3732fb5d4bd8b177022ed58d9c08b2cded5a6141e2da07c66966a94",
            "import_time": "2026-07-13T19:00:27.307313594Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010290"
        }
    ]
}
References
Credits

Affected packages

npm / loading-sessions

Package

Affected ranges

Affected versions

6.*
6.13.2

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "1b01af9934fe541c015112e9171fa1326050e4673d86e6c83b4c87129fa667e6e93adf",
            "sha256": "37e9dde0f35864e2ea8dcd4c8b5324ef50e3798195d04c30ba6938352af702db",
            "path": "lib/caller.js"
        },
        {
            "tlsh": "5d213c81b9f11188065cd9c8b569e53a38e3c4377207b9b0e9ec87862bcf2080272ad7",
            "sha256": "2956b023858d706a5e241cd28b845088e5f414c5f70bd5d8cb73cb427d081065",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "277bc3b8cbccebcc3855a115cdac0aca086d5592",
                "sha512_sri": "sha512-3wpv2/9u/m09IGUZbUi4yockVcbtTE/djxJux3Qf4yLJmUXO1q8TClJTz2VtDKzrF1QHVeQqgM/UrASgFdYLNw=="
            },
            "filename": "loading-sessions-6.13.2.tgz"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/loading-sessions/MAL-2026-10471.json"