npm · Malicious package advisory
Malwareweb-pop
MAL-2026-10575
Malicious code in web-pop (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (40594f220414cf22d0879782f17f921f8c6fd17d054b70dd1a0c2b3851c0080a)
web-pop is a typosquat of pino (copied description and keywords). On module load, lib/initializeCaller.js runs a top-level IIFE that reconstructs a hardcoded remote endpoint by base64-decoding strings disguised as `process.env.DEV_API_KEY`/`DEV_SECRET_KEY`/`DEV_SECRET_VALUE`, resolving to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df. The IIFE POSTs the entire process.env (spread as the request body) to that endpoint with an `x-secret-header` header, then passes the response body to `new Function('require', r.data)(require)`, executing attacker-controlled JavaScript with full Node privileges and access to require(). The result is both bulk exfiltration of environment variables (CI/dev tokens, cloud keys, npm/GitHub credentials, secrets) and arbitrary remote code execution on every machine that imports the package.
Compromised versions (1)
- 2.3.5
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.