MAL-2026-6583
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pino-debugging/MAL-2026-6583.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6583
- Published
- 2026-06-29T06:27:23Z
- Modified
- 2026-06-29T07:16:42.216468982Z
- Summary
- Malicious code in pino-debugging (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (2f34694171d099a29f77430359b02afb82c2333967feb1ec6e0bd845b98244b9)
Package name impersonates the legitimate pino-debug. The main entry index.js requires a transitive dependency ('loadutils') that pulls a further dependency contacting a hardcoded C2 at https://fundraiser-success.vercel.app and executing a delivered payload in the consumer's Node process. Loading occurs at any require()/import of pino-debugging. index.js additionally mutates require('module').wrap at top level to rewrite require() inside any nodemodules/debug module so that consumers of the popular 'debug' package are silently routed through this package's shim, expanding reach across the dependency tree. Shipped files (PUBLISHGUIDE.md, CHANGELOG.md) openly describe the package as a supply-chain attack chain (pino-debugging -> debug-fnt/loadutils -> debug-glitzs -> C2 at fundraiser-success.vercel.app -> payload execution, including screenshot capture), while the README is copied from pino-debug and additional SECURITY*.md files assert 'Zero Known Vulnerabilities' and 'Production Ready' as cover.
- Database specific
{ "malicious-packages-origins": [ { "versions": [ "1.1.3" ], "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "modified_time": "2026-06-29T06:27:33Z", "sha256": "2f34694171d099a29f77430359b02afb82c2333967feb1ec6e0bd845b98244b9", "id": "IN-MAL-2026-007766", "source": "amazon-inspector", "import_time": "2026-06-29T07:09:11.057165316Z" }, { "versions": [ "1.1.4" ], "source": "amazon-inspector", "modified_time": "2026-06-29T06:27:23Z", "sha256": "7a1dec01ea37a9f36226fd542dd6dc519bb7e5a398895f29191aec15ac7c9e5f", "id": "IN-MAL-2026-007765", "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "import_time": "2026-06-29T07:09:11.000841771Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / pino-debugging
Package
- Name
- pino-debugging
- View open source insights on deps.dev
- Purl
- pkg:npm/pino-debugging
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Database specific
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"package_integrity": [
{
"filename": "pino-debugging-1.1.3.tgz",
"hashes": {
"sha512_sri": "sha512-3Vx4D/tXzRa2KDI7uBgOkuGptoMhiqi7894h0pgKeUWLtn/yW8NMrrBHbSSIpjZ/Z6G+9+g34I9Gcx8QbtpNYw==",
"sha1": "2d50ff38b7aac4a6a16830f1e803c004042a398a"
}
}
],
"evidence_files": [
{
"path": "PUBLISH_GUIDE.md",
"tlsh": "fa0262ba4183e26d0737919bd01cb576ea6fe13f6e82c59cb0bd02282349db9431729d",
"sha256": "44079cad7f5c93e95aa11c6a691672c3c8f2935b5aa12e06d218a7ace9851a1c"
},
{
"path": "index.js",
"tlsh": "f591525839e7f0d26633a7b1c52f2411faba94231136e461f6cc91902fb210452baee9",
"sha256": "07375404832e92c062958515e03544d273c0c2552e933d33238f46d1bddaaf81"
},
{
"path": "CHANGELOG.md",
"tlsh": "88c16478b20b75279397069bd55f32732f79e65ea722102e44ac829c73436b4a36f07c",
"sha256": "1f5ca542b6efdeeddeebde29dc30052d97f96828b268656b5cf3234ffc28af0c"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pino-debugging/MAL-2026-6583.json"