{"id":"MAL-2026-4197","summary":"Malicious code in pretty-logger-utils (npm)","details":"pretty-logger-utils is a malicious npm package that depends on terminal-logger-utils and triggers the malicious behavior in that package when installed or imported.\n\nThe terminal-logger-utils payload executes a postinstall hook that opens utils.cjs, an obfuscated malware dropper. The dropper downloads and runs a platform-specific second-stage binary from Hugging Face. The second-stage payload provides keylogger, infostealer, and RAT behavior, steals sensitive local data including Telegram Desktop sessions, browser login databases, crypto wallets, SSH keys, cloud configurations, environment variables, and keyword-matched files, and connects to a remote server for full machine control.","modified":"2026-05-20T22:16:41.833494127Z","published":"2026-05-20T08:21:37Z","database_specific":{"malicious-packages-origins":null},"references":[{"type":"WEB","url":"https://www.ox.security/blog/north-korean-npm-infostealer-rat/"}],"affected":[{"package":{"name":"pretty-logger-utils","ecosystem":"npm","purl":"pkg:npm/pretty-logger-utils"},"versions":["1.0.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pretty-logger-utils/MAL-2026-4197.json"}}],"schema_version":"1.7.5","credits":[{"name":"OX Security","contact":["https://www.ox.security/"],"type":"FINDER"}]}