-= Per source details. Do not edit below this line.=-
The package impersonates the pino logger (README badges, module.exports.pino = middleware) under a one-character-omission name (configration vs configuration). When a consumer requires the package and invokes the exported middleware factory, index.js detaches a child process running lib/initializeCaller.js. That child decodes a base64-obfuscated URL stored under decoy field names (DEV_API_KEY, DEV_SECRET_KEY) inside a locally shadowed process object, resolving to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df. It POSTs the entire spread process.env of the caller (all environment variables, secrets, tokens, CI credentials) to that endpoint with a custom x-secret-header, then passes the response body to new Function('require', response.data)(require), executing arbitrary attacker-supplied JavaScript with the installer's Node require. This is a combined credential exfiltration + remote-code-execution channel gated only by requiring/loading the module.
{
"malicious-packages-origins": [
{
"versions": [
"2.3.5"
],
"id": "IN-MAL-2026-008168",
"import_time": "2026-07-08T17:40:19.56806634Z",
"modified_time": "2026-07-08T17:29:21Z",
"sha256": "3255dd4ea4a24b3e000f6a8aadb9a022bc9aed07507124a595dd42ef0b429d6e",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "fc61b0ed62e346bfbb5e1e093e475d8b3065247dc8d315f0ea4e7cafd9661bad",
"tlsh": "f921f38e15fe101d066751e6bb2f24027022e8133946d4a47bcc835b1fc966e99936df",
"path": "lib/initializeCaller.js"
},
{
"tlsh": "88019c60ce788e2300ed26825c2e064376718c175928fc1932db512c0f9d4bf01bf21d",
"sha256": "269e2a4c69d62645e696bc5c7cbacc391d0d26487d9d216c63714d2ca7b5015a",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "configration-2.3.5.tgz",
"hashes": {
"sha512_sri": "sha512-Esz6++0SGuHBQV9dyGFZipiaACPicI1zv7Wdb7ijl3GD+Xs64h5tI6IrUckTRoe/QJEnbzt/3aKw2uZeRqEgDw==",
"sha1": "997f2bcdfc3fd47b39c3768f1aa40f749523a3ab"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/configration/MAL-2026-7009.json"