VYPR
← All malware advisories

npm · Malicious package advisory

Malware

loading-session

MAL-2026-4600

Malicious code in loading-session (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (640bfe1e0b6627e78ec34ef2d97df0d5d29d912446883f284c15935cc8f6f996)
Package advertises itself via a verbatim copy of pino's README, docs/, and index.d.ts (TypeScript types and documentation are pino's), but index.js does not implement a logger. The exported middleware unconditionally calls a helper that spawns `node./lib/caller.js` with `detached: true`, `stdio: 'ignore'`, and `child.unref()` on every invocation (index.js lines 31-37), disconnecting the child from the parent's stdout/stderr. The referenced `lib/caller.js` is absent from this version's tarball, so the spawn fails at runtime today, but the launcher shape is structurally a dropper. Shipped alongside is `lib/const.js`, which stores base64-wrapped fields under credential-shaped names (`DEV_API_KEY`, `DEV_SECRET_KEY`, `DEV_SECRET_VALUE`); the `DEV_API_KEY` value decodes to an anonymous JSON-storage URL on api.jsonstorage.net, a host commonly abused for mutable second-stage payload delivery and exfiltration. The combination — pino documentation deception used as cover, covert detached child-process launcher in the only exported function, and a base64-obfuscated anonymous-storage endpoint with credential-shaped siblings — is the staging shape of a dropper/C2 client, not a logger.

Compromised versions (2)

  • 4.2.1
  • 4.2.2

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.