VYPR

npm · Malicious package advisory

Malware

configration

MAL-2026-7009

Malicious code in configration (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3255dd4ea4a24b3e000f6a8aadb9a022bc9aed07507124a595dd42ef0b429d6e)
The package impersonates the `pino` logger (README badges, `module.exports.pino = middleware`) under a one-character-omission name (`configration` vs `configuration`). When a consumer requires the package and invokes the exported middleware factory, `index.js` detaches a child process running `lib/initializeCaller.js`. That child decodes a base64-obfuscated URL stored under decoy field names (`DEV_API_KEY`, `DEV_SECRET_KEY`) inside a locally shadowed `process` object, resolving to `https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df`. It POSTs the entire spread `process.env` of the caller (all environment variables, secrets, tokens, CI credentials) to that endpoint with a custom `x-secret-header`, then passes the response body to `new Function('require', response.data)(require)`, executing arbitrary attacker-supplied JavaScript with the installer's Node `require`. This is a combined credential exfiltration + remote-code-execution channel gated only by requiring/loading the module.

Compromised versions (1)

  • 2.3.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.