MAL-2026-4598

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/lhisp-logger/MAL-2026-4598.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4598
Published
2026-05-23T13:08:44Z
Modified
2026-05-26T06:02:40.138936757Z
Summary
Malicious code in lhisp-logger (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a9ba8f52d22e4435a81a1ffe643e4bb25b0e64fff60c585cac35c164e4ccb24f)

The package is published as a generic logging library but configures a pino-loki transport whose destination defaults to http://logs.lhprovedor.com.br:3100 — a host owned by the author. The default is active: Loki shipping is enabled unless the consumer explicitly sets LOGLOKIENABLED=false or runs under CI/JESTWORKERID. Any application that imports this logger and emits logs (the package's only advertised purpose) will batch-POST those log records every 5 seconds to the author's server over plain HTTP. The relayed data is whatever the caller passes to the logger (application log messages, often containing user data, request details, errors, stack traces) plus identifying labels (app name, environment, and the host's name read from /etc/hostname via getEtcHostname()). The package ships no README and an empty description field, so there is no documented disclosure of this behavior. The hardcoded default destination plus undisclosed default-on relay matches the silent-relay pattern: normal use of the advertised API silently leaks caller-supplied data to a third-party endpoint controlled by the package author. Plain HTTP additionally exposes the data in transit.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "a9ba8f52d22e4435a81a1ffe643e4bb25b0e64fff60c585cac35c164e4ccb24f",
            "id": "IN-MAL-2026-004328",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:52:23.266225321Z",
            "modified_time": "2026-05-23T13:08:44Z",
            "versions": [
                "3.1.10"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / lhisp-logger

Package

Affected ranges

Affected versions

3.*
3.1.10

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "src/lhisp-logger.js",
            "tlsh": "f791860dafe598bb427631981f7b501239ba92273006b8f0b34c937b1f9544cab75de9",
            "sha256": "21e6994b37483729ee57fa25e52875dda2c9051de08878aaa2c60c6425d63497"
        }
    ],
    "package_integrity": [
        {
            "filename": "lhisp-logger-3.1.10.tgz",
            "hashes": {
                "sha1": "67ab05373529ea6483bedece227d5b4a9a1a4d26",
                "sha512_sri": "sha512-juQpNBfHe6/N/4S7OBk/QGUvZkM9rfFfe8a75Ewt4Uj2nNUAMe2vT1P60bcoL9f9uSn5WUVtGEixY6Ki8u+QAQ=="
            }
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/lhisp-logger/MAL-2026-4598.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]