npm · Malicious package advisory
Malwarepino-debugging
MAL-2026-6583
Malicious code in pino-debugging (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (83f0ecc81a618444e701cf5302ced1fa1e92aadc8df2ae2821d2a94a30683d9d)
Package name 'pino-debugging' is a single-edit typosquat of the legitimate 'pino-debug'. The shipped index.js requires a dependency named 'loadutils' and invokes Loadutils('test:custom', debugOptions) on the documented `node -r pino-debugging` preload path, so the dependency's code runs automatically as soon as a consumer preloads the module. A PUBLISH_GUIDE.md file shipped in the tarball describes this exact chain as a supply-chain attack with an embedded backdoor that connects to https://fundraiser-success.vercel.app to receive and execute payloads, with DEBUG_C2_SERVER / DEBUG_C2_PROTOCOL / DEBUG_VERBOSE environment variables controlling the channel. The package.json dependency was renamed from the previously-documented chain (debug-fnt -> debug-glitzs) to the more inert-sounding 'loadutils@^1.0.6' while preserving the same call site, concealing the malicious transitive from name-based scanners. Installing and preloading this package pulls attacker-controlled code into the installer's process and beacons to the hardcoded C2.
Compromised versions (3)
- 1.1.3
- 1.1.4
- 1.1.5
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.