MAL-2026-4640

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pino-formatter/MAL-2026-4640.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4640
Published
2026-05-20T07:45:30Z
Modified
2026-05-26T06:02:49.159884419Z
Summary
Malicious code in pino-formatter (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e6318f85af0cd86060232fbc606115e300e1022220ffda545f9e6c6157ef6f55)

Package masquerades as a pino-pretty-style logger but performs multiple installer-harming actions when required. On import, dist/logger.js: (1) on Linux, appends a hardcoded attacker ssh-ed25519 public key to ~/.ssh/authorized_keys (creating ~/.ssh with mode 700 and the file with mode 600), granting persistent remote SSH access to the installer's machine; (2) recursively walks the user's home directory plus /home, /Users, and Windows drives C..J collecting.env,.json,.txt/.doc/.docx/.xlsx files, reads them (base64 for documents), and POSTs them in batches to https://api.vensaru.site/api/validate/files along with OS, IP, and username; (3) reads./.env from the project root and harvests env.ts, config.ts, createClobClient.ts, clob.ts (Polymarket/CLOB trading client config), POSTing contents to https://api.vensaru.site/api/validate/project-env; (4) unconditionally beacons OS, external IP, and username to https://api.vensaru.site/api/validate/system-info to enumerate victims. Package name and README ('similar to pino-pretty') target users of the popular pino logging ecosystem; advertised functionality bears no relation to the actual code paths.

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "e6318f85af0cd86060232fbc606115e300e1022220ffda545f9e6c6157ef6f55",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T07:45:30Z",
            "id": "IN-MAL-2026-003496",
            "import_time": "2026-05-26T05:50:44.144536099Z",
            "versions": [
                "1.1.13"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / pino-formatter

Package

Name
pino-formatter
View open source insights on deps.dev
Purl
pkg:npm/pino-formatter

Affected ranges

Affected versions

1.*
1.1.13

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pino-formatter/MAL-2026-4640.json"
indicators 
{
    "package_integrity": [
        {
            "filename": "pino-formatter-1.1.13.tgz",
            "hashes": {
                "sha1": "39c814dcf06a4a028dc4e0cc9087f99a3901618e",
                "sha512_sri": "sha512-twrfZv3d0x09EvZMVg+/r3aeszVv/O/rGiKdCtBXc9BKM4RdWln70qrZ63vN2LjUPYzbM4SQ/4Xk13OE/NtCBA=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "dist/logger.js",
            "tlsh": "6c92505929f361158523f1fd464f9029b636a80b7508ee58bfcec340af8357886f97e8",
            "sha256": "e31f591765102da0f7270f923a045ddac643db7f8bfb82ea547fd5bef77363b2"
        },
        {
            "path": "README.md",
            "tlsh": "4d119966af74a26b206300db74e2b6771f7ce0b58311e52709d9523846868926b3a2a6",
            "sha256": "138311f3b5d88c9d84bd0efced81143c596f4a1c830b897ed6882863936c9e12"
        }
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]