npm · Malicious package advisory
Malwaremidpatch
MAL-2026-4611
Malicious code in midpatch (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (fe668e556f4b46fce125c318ebc3bea93185c78ec36c19f8991bbcb36172a62b)
The package advertises a logger middleware (keywords fast/logger/stream/json, exports `module.exports.pino = middleware`, file.js wraps a `./pino` module) so consumers will install and mount it as Express middleware. On first invocation, index.js spawns a detached, stdio-ignored child process running `node lib/caller.js`, which fetches JavaScript from `https://jsonkeeper.com/b/XRGF3` (a public, attacker-mutable paste host) and evaluates the response's `cookie` field via `new Function.constructor('require', s)(require)`, granting the remote payload full Node `require` access. The C2 URLs are base64-obfuscated inside fake `process.env` defaults (`DEV_API_KEY: "aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1hSR0Yz"` and a second paste ID `4NAKK` in lib/const.js) to evade casual review and string scanners. The combination of pino-shaped lure + detached/hidden child + remote-fetched eval from a mutable paste host + base64-hidden endpoints is unambiguous supply-chain RCE — any consumer that mounts the middleware executes attacker-controlled code.
Compromised versions (1)
- 1.1.9
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.