{"id":"MAL-2026-4640","summary":"Malicious code in pino-formatter (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e6318f85af0cd86060232fbc606115e300e1022220ffda545f9e6c6157ef6f55)\nPackage masquerades as a pino-pretty-style logger but performs multiple installer-harming actions when required. On import, dist/logger.js: (1) on Linux, appends a hardcoded attacker ssh-ed25519 public key to ~/.ssh/authorized_keys (creating ~/.ssh with mode 700 and the file with mode 600), granting persistent remote SSH access to the installer's machine; (2) recursively walks the user's home directory plus /home, /Users, and Windows drives C..J collecting.env,.json,.txt/.doc/.docx/.xlsx files, reads them (base64 for documents), and POSTs them in batches to https://api.vensaru.site/api/validate/files along with OS, IP, and username; (3) reads./.env from the project root and harvests env.ts, config.ts, createClobClient.ts, clob.ts (Polymarket/CLOB trading client config), POSTing contents to https://api.vensaru.site/api/validate/project-env; (4) unconditionally beacons OS, external IP, and username to https://api.vensaru.site/api/validate/system-info to enumerate victims. Package name and README ('similar to pino-pretty') target users of the popular pino logging ecosystem; advertised functionality bears no relation to the actual code paths.\n","modified":"2026-05-26T06:02:49.159884419Z","published":"2026-05-20T07:45:30Z","database_specific":{"malicious-packages-origins":[{"sha256":"e6318f85af0cd86060232fbc606115e300e1022220ffda545f9e6c6157ef6f55","versions":["1.1.13"],"modified_time":"2026-05-20T07:45:30Z","import_time":"2026-05-26T05:50:44.144536099Z","id":"IN-MAL-2026-003496","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/pino-formatter/v/1.1.13"}],"affected":[{"package":{"name":"pino-formatter","ecosystem":"npm","purl":"pkg:npm/pino-formatter"},"versions":["1.1.13"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"filename":"pino-formatter-1.1.13.tgz","hashes":{"sha1":"39c814dcf06a4a028dc4e0cc9087f99a3901618e","sha512_sri":"sha512-twrfZv3d0x09EvZMVg+/r3aeszVv/O/rGiKdCtBXc9BKM4RdWln70qrZ63vN2LjUPYzbM4SQ/4Xk13OE/NtCBA=="}}],"evidence_files":[{"sha256":"e31f591765102da0f7270f923a045ddac643db7f8bfb82ea547fd5bef77363b2","tlsh":"6c92505929f361158523f1fd464f9029b636a80b7508ee58bfcec340af8357886f97e8","path":"dist/logger.js"},{"sha256":"138311f3b5d88c9d84bd0efced81143c596f4a1c830b897ed6882863936c9e12","tlsh":"4d119966af74a26b206300db74e2b6771f7ce0b58311e52709d9523846868926b3a2a6","path":"README.md"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pino-formatter/MAL-2026-4640.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}