MAL-2026-7009

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/configration/MAL-2026-7009.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-7009
Published
2026-07-08T17:29:21Z
Modified
2026-07-08T17:46:45.035561518Z
Summary
Malicious code in configration (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (3255dd4ea4a24b3e000f6a8aadb9a022bc9aed07507124a595dd42ef0b429d6e)

The package impersonates the pino logger (README badges, module.exports.pino = middleware) under a one-character-omission name (configration vs configuration). When a consumer requires the package and invokes the exported middleware factory, index.js detaches a child process running lib/initializeCaller.js. That child decodes a base64-obfuscated URL stored under decoy field names (DEV_API_KEY, DEV_SECRET_KEY) inside a locally shadowed process object, resolving to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df. It POSTs the entire spread process.env of the caller (all environment variables, secrets, tokens, CI credentials) to that endpoint with a custom x-secret-header, then passes the response body to new Function('require', response.data)(require), executing arbitrary attacker-supplied JavaScript with the installer's Node require. This is a combined credential exfiltration + remote-code-execution channel gated only by requiring/loading the module.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "2.3.5"
            ],
            "id": "IN-MAL-2026-008168",
            "import_time": "2026-07-08T17:40:19.56806634Z",
            "modified_time": "2026-07-08T17:29:21Z",
            "sha256": "3255dd4ea4a24b3e000f6a8aadb9a022bc9aed07507124a595dd42ef0b429d6e",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / configration

Package

Affected ranges

Affected versions

2.*
2.3.5

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "fc61b0ed62e346bfbb5e1e093e475d8b3065247dc8d315f0ea4e7cafd9661bad",
            "tlsh": "f921f38e15fe101d066751e6bb2f24027022e8133946d4a47bcc835b1fc966e99936df",
            "path": "lib/initializeCaller.js"
        },
        {
            "tlsh": "88019c60ce788e2300ed26825c2e064376718c175928fc1932db512c0f9d4bf01bf21d",
            "sha256": "269e2a4c69d62645e696bc5c7cbacc391d0d26487d9d216c63714d2ca7b5015a",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "configration-2.3.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-Esz6++0SGuHBQV9dyGFZipiaACPicI1zv7Wdb7ijl3GD+Xs64h5tI6IrUckTRoe/QJEnbzt/3aKw2uZeRqEgDw==",
                "sha1": "997f2bcdfc3fd47b39c3768f1aa40f749523a3ab"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/configration/MAL-2026-7009.json"