MAL-2026-4196

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pinno-loggers/MAL-2026-4196.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4196

Published

2026-05-20T08:33:15Z

Modified

2026-05-20T22:16:42.465801320Z

Summary

Malicious code in pinno-loggers (npm)

Details

pinno-loggers is a malicious npm package that depends on terminal-logger-utils and triggers the malicious behavior in that package when installed or imported.

The terminal-logger-utils payload executes a postinstall hook that opens utils.cjs, an obfuscated malware dropper. The dropper downloads and runs a platform-specific second-stage binary from Hugging Face. The second-stage payload provides keylogger, infostealer, and RAT behavior, steals sensitive local data including Telegram Desktop sessions, browser login databases, crypto wallets, SSH keys, cloud configurations, environment variables, and keyword-matched files, and connects to a remote server for full machine control.

Database specific

{
    "malicious-packages-origins": null
}

References

https://www.ox.security/blog/north-korean-npm-infostealer-rat/

Credits

- OX Security - FINDER
- - https://www.ox.security/

Affected packages

npm / pinno-loggers

Package

Name: pinno-loggers; View open source insights on deps.dev
Purl: pkg:npm/pinno-loggers

Affected ranges

Affected versions

1.*

1.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pinno-loggers/MAL-2026-4196.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]