VYPR
← All malware advisories

npm · Malicious package advisory

Malware

node-denv

MAL-2026-5734

Malicious code in node-denv (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1b0701ad772209918c78eb4d038cce43946517f3558cbec1988c121c115a641d)
node-denv presents itself as a pino-compatible logging middleware (index.js exports `module.exports.pino = middleware` and mimics pino's option shape including DEFAULT_LEVELS, formatters.bindings, redact, and customLevels). When a consumer instantiates the middleware, the package spawns a detached `node lib/caller.js` child process. lib/caller.js performs an HTTPS GET against https://jsonkeeper.com/b/EXSIF, reads the `.cookie` field from the JSON response, and passes it to `new Function.constructor("require", s)` invoked with the real `require` — granting the remotely-fetched JavaScript full Node.js capabilities (filesystem, network, child_process, env). The fetch is retried up to 5 times. A second jsonkeeper.com payload URL (https://jsonkeeper.com/b/ZK45J) is base64-encoded as `DEV_API_KEY` in lib/const.js as a fallback C2. jsonkeeper.com is an anonymous mutable JSON paste host — the attacker can change the executed payload at any time without republishing the package. The pino impersonation lures developers searching for the popular logger into installing this package, at which point any normal use triggers remote code execution on the installer's machine.

Compromised versions (1)

  • 1.3.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.