VYPR

npm · Malicious package advisory

Malware

midcorp

MAL-2026-4610

Malicious code in midcorp (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bc6725ed066ed5aff9452bd82d278fd89c1548768124d8b89cb8e5a5e8c3b05a)
The package masquerades as a pino-compatible logger (package.json keywords `fast`/`logger`/`stream`/`json`, exports `module.exports.pino = middleware`, lib filenames `proto.js`, `redaction.js`, `multistream.js`, `transport.js`, `worker.js` mirror pino's layout), but its actual runtime behavior is a remote-code-execution dropper. When a consumer requires midcorp and invokes the exported `middleware()` from `index.js`, a detached/unref'd child process spawns `lib/caller.js`, which performs `axios.get` against `https://jsonkeeper.com/b/XRGF3` (an anonymous, mutable paste-bin host) and passes the returned `data.cookie` field to `new Function.constructor('require', s)(require)` — handing attacker-controlled JavaScript full Node.js `require` capabilities. The C2 URL is obfuscated as a base64 string disguised as a fake `process.env.DEV_API_KEY` default in `lib/caller.js` / `lib/const.js` (`aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1hSR0Yz` → `https://jsonkeeper.com/b/XRGF3`), with a backup paste ID (`4NAKK`). The description field is unrelated boilerplate about vulnerability management. Three independent block signals (remote-eval of paste-bin content, pino impersonation cover, base64-hidden C2) leave no benign interpretation.

Compromised versions (1)

  • 1.1.9

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.