VYPR

npm · Malicious package advisory

Malware

zod-pino

MAL-2026-6273

Malicious code in zod-pino (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c536e5a7ee3d5542e1ac822b30ba4525e52b2ae0c964d0c2470468d91b9b41c8)
The package is published under a name suggesting a Pino logger integration for Zod, but the tarball contents do not match that purpose and exhibit multiple installer-harm fingerprints:

- scripts/postinstall-agent.mjs runs at install time and performs outbound network activity (GET requests, ping/host probing, identifier collection). A logging-schema package has no legitimate reason to ship a postinstall agent that beacons out.
- dist/discordRelayUpload.js implements POST-based upload flows with base64 encoding/decoding of payloads and host-reachability probes (ping) — a Discord-channel relay used for off-host data delivery, unrelated to the package's advertised purpose.
- dist/secretScan/contentScanner.js and dist/secretScan/agentStartupAudit.js implement a secret-scanning routine that fetches huggingface.co endpoints from an 'agent startup audit' code path, with base64 buffer handling consistent with credential extraction and transmission.
- dist/hfCredentials.js handles base64-encoded Hugging Face credentials, and dist/deploymentDefaults.js plus scripts/encode-deployment.mjs perform multi-stage base64 decoding of deployment payloads — typical staged-payload obfuscation.
- dist/relayServer.js bundles a long-lived relay/server component with repeated host-probe (ping) primitives.

Taken together — install-time agent with outbound traffic, secret-scanning + credential modules, base64-staged deployment payloads, and a Discord upload relay, all in a package nominally advertised as a zod/pino integration — the shipped behavior matches an exfiltration/relay toolchain rather than a logging utility. Installing this package triggers the postinstall agent automatically.

## Source: ghsa-malware (d4630d39e948537d5f62634527a049fc08b52373594e92b1fe1db32b7684cbe6)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Compromised versions (6)

  • 1.0.122
  • 1.0.123
  • 1.0.124
  • 1.0.126
  • 1.0.127
  • 1.0.125

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.