-= Per source details. Do not edit below this line.=-
motion-pull@2.3.5 impersonates the pino logger (exports module.exports.pino = middleware, uses logger-themed keywords, ships a ./pino require target). When the exported function is invoked, index.js spawns a detached node child running lib/initializeCaller.js. That script base64-decodes a hardcoded URL (https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df), POSTs the entire process.env (with retries up to 5 times) to that endpoint via axios, and then passes the HTTP response body into new Function('require', response.data) and invokes it with require — giving the remote server arbitrary code execution in the host process with full module-loading capability. Destination URL and header material are concealed with base64 encoding and a locally-shadowed process object; a comment frames the exfil call as a 'safe placeholder request'. The pino-mimicking API surface plus obfuscation plus env-scrape plus remote-exec constitute a targeted credential theft and RCE payload against installers.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-14T03:36:50Z",
"versions": [
"2.3.5"
],
"sha256": "4e50d15810c044b3b0355460fdeacea42d89944d351e74bcce9fd976f91915ea",
"id": "IN-MAL-2026-010371",
"source": "amazon-inspector",
"import_time": "2026-07-14T04:31:59.384729221Z"
}
]
}{
"evidence_files": [
{
"tlsh": "f921f38e15fe101d066751e6bb2f24027022e8133946d4a47bcc835b1fc966e99936df",
"sha256": "fc61b0ed62e346bfbb5e1e093e475d8b3065247dc8d315f0ea4e7cafd9661bad",
"path": "lib/initializeCaller.js"
},
{
"tlsh": "43016420ce788e2300ed2582482a0643b6628c136928fc2932da512c0f9d4bf11bf22d",
"sha256": "ffd1dee0940532d4013e7649d0f11e445687c830d19ed44b5b8e83fa1bfc7efc",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha1": "077dd285d78b1c8484fe816936ad6fc7744d2ce4",
"sha512_sri": "sha512-bsFil33Xdix6/eLvL01Q7W7Ok3ndGkFsqPYIQCk4JdaIu9VSeko/kSqwA0TDzzBIPIS/q3gepCEYMg0hgNTLUA=="
},
"filename": "motion-pull-2.3.5.tgz"
}
]
}
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/motion-pull/MAL-2026-10534.json"