{"id":"MAL-2026-4196","summary":"Malicious code in pinno-loggers (npm)","details":"pinno-loggers is a malicious npm package that depends on terminal-logger-utils and triggers the malicious behavior in that package when installed or imported.\n\nThe terminal-logger-utils payload executes a postinstall hook that opens utils.cjs, an obfuscated malware dropper. The dropper downloads and runs a platform-specific second-stage binary from Hugging Face. The second-stage payload provides keylogger, infostealer, and RAT behavior, steals sensitive local data including Telegram Desktop sessions, browser login databases, crypto wallets, SSH keys, cloud configurations, environment variables, and keyword-matched files, and connects to a remote server for full machine control.","modified":"2026-05-20T22:16:42.465801320Z","published":"2026-05-20T08:33:15Z","database_specific":{"malicious-packages-origins":null},"references":[{"type":"WEB","url":"https://www.ox.security/blog/north-korean-npm-infostealer-rat/"}],"affected":[{"package":{"name":"pinno-loggers","ecosystem":"npm","purl":"pkg:npm/pinno-loggers"},"versions":["1.0.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pinno-loggers/MAL-2026-4196.json"}}],"schema_version":"1.7.5","credits":[{"name":"OX Security","contact":["https://www.ox.security/"],"type":"FINDER"}]}