VYPR

npm · Malicious package advisory

Malware

cookie-phase

MAL-2026-10410

Malicious code in cookie-phase (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (17bfab347de8288575bca9677b9eb7652b0024cdbffc1efebe387378c243299c)
The package presents itself as the popular `pino` logger (README badges, exported `module.exports.pino = middleware`) but its name and metadata are unrelated. When a consumer imports the package and invokes the default export as middleware, `index.js` spawns a detached `node` child running `lib/initializeCaller.js`. That child hides the C2 destination inside base64 constants placed in a fake local `process.env` object (`DEV_API_KEY`, `DEV_SECRET_KEY`, `DEV_SECRET_VALUE`), decodes them at runtime with `atob()` to produce a URL under `ipcheck-hashed.vercel.app/api/auth/...`, POSTs to it via axios, and passes the response body directly to `new Function('require', response.data)(require)`. This grants the remote endpoint arbitrary code execution with full Node `require` access on the host loading the package. The base64 obfuscation of the destination URL and the impersonation of a well-known logger are consistent with a dropper designed to compromise developer and build-system machines that install the package expecting `pino`.

Compromised versions (1)

  • 2.3.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.