MAL-2026-5734
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-denv/MAL-2026-5734.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5734
- Published
- 2026-06-13T07:00:24Z
- Modified
- 2026-06-13T07:31:42.301097621Z
- Summary
- Malicious code in node-denv (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (1b0701ad772209918c78eb4d038cce43946517f3558cbec1988c121c115a641d)
node-denv presents itself as a pino-compatible logging middleware (index.js exports
module.exports.pino = middlewareand mimics pino's option shape including DEFAULTLEVELS, formatters.bindings, redact, and customLevels). When a consumer instantiates the middleware, the package spawns a detachednode lib/caller.jschild process. lib/caller.js performs an HTTPS GET against https://jsonkeeper.com/b/EXSIF, reads the.cookiefield from the JSON response, and passes it tonew Function.constructor("require", s)invoked with the realrequire— granting the remotely-fetched JavaScript full Node.js capabilities (filesystem, network, childprocess, env). The fetch is retried up to 5 times. A second jsonkeeper.com payload URL (https://jsonkeeper.com/b/ZK45J) is base64-encoded asDEV_API_KEYin lib/const.js as a fallback C2. jsonkeeper.com is an anonymous mutable JSON paste host — the attacker can change the executed payload at any time without republishing the package. The pino impersonation lures developers searching for the popular logger into installing this package, at which point any normal use triggers remote code execution on the installer's machine. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-006319", "versions": [ "1.3.5" ], "sha256": "1b0701ad772209918c78eb4d038cce43946517f3558cbec1988c121c115a641d", "source": "amazon-inspector", "modified_time": "2026-06-13T07:00:24Z", "import_time": "2026-06-13T07:25:39.455863348Z" }, { "id": "IN-MAL-2026-006320", "versions": [ "1.3.5" ], "sha256": "86a9df69748eedf7adab541a4701076fcfede5edbb2c492c29e8094cf2efc9ad", "source": "amazon-inspector", "modified_time": "2026-06-13T07:00:25Z", "import_time": "2026-06-13T07:25:39.555890651Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / node-denv
Package
- Name
- node-denv
- View open source insights on deps.dev
- Purl
- pkg:npm/node-denv
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "lib/caller.js",
"sha256": "c94c68398967a72596733d62b40d3b2df9490056a3b25bfd96333d0a88d84624",
"tlsh": "e701cb8f30fd101c019122e66b1fe4327010e85b390ae4d4374c87521ffa5aeaa53ede"
},
{
"path": "index.js",
"sha256": "32e82853dd646aac388b78f868241267a5e6483d847df3d4c843f8100590d469",
"tlsh": "30213f8175f111480658d9c8b569e5363ce3c4377207b9b0e9ecb7862bcf20c0272ad7"
},
{
"path": "lib/const.js",
"sha256": "9879ffb0bf61edef7e9b90ddc5fac9770c514c0cdecd9a07b15e8a677e6f8f74",
"tlsh": "8ac08c8351e4a89704301773610ca995f2a1d26f0c840b0331f594844a396a93840fbb"
}
],
"package_integrity": [
{
"filename": "node-denv-1.3.5.tgz",
"hashes": {
"sha512_sri": "sha512-XMA7YaAqsJQ2faeRQiRnrYFbnCxJ5eltibJfJtnC1HkzEcT/xHnvW7b4B93H0bDPSfquuEb94nZwQ83ROZcRnQ==",
"sha1": "570d4ebf7b96d9bde20223846382d04465536f44"
}
}
],
"ips": [
"104.16.212.131",
"104.16.11.34",
"10.1.0.2"
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/node-denv/MAL-2026-5734.json"