{"id":"MAL-2026-5994","summary":"Malicious code in ts-webplug (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2a205cee3f545c9dd5083055f8dad50c5e131603bf50d37bbb3f7ef5a744d88f)\nts-webplug@3.0.5 impersonates the pino logger (exports named `pino`, lib/ tree mirroring pino's file layout, keywords fast/logger/stream/json) but its main export wires consumers into a remote-code-execution dropper. index.js's `middleware` export spawns a detached `node lib/caller.js` (`spawn('node', [...], { detached: true, stdio: 'ignore' })` followed by `child.unref()`) so the child survives the parent. caller.js then fetches JavaScript from https://jsonkeeper.com/b/U2BTS (an anonymous, mutable JSON-paste host) and executes the response's `cookie` field with `new Function.constructor('require', s); handler(require)`, granting the remote payload full Node `require()` access on the installer's machine. Decoy `process.env` strings (DEV_API_KEY etc.) base64-decode to additional jsonkeeper.com URLs. The harm fires whenever a consumer imports the package and invokes the default/`pino`-named middleware — a path developers reach immediately when they install what they believe is a pino-shaped logger.\n","modified":"2026-06-17T06:02:05.537845031Z","published":"2026-06-17T04:23:11Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006883","import_time":"2026-06-17T05:45:42.115211051Z","sha256":"2a205cee3f545c9dd5083055f8dad50c5e131603bf50d37bbb3f7ef5a744d88f","versions":["3.0.5"],"source":"amazon-inspector","modified_time":"2026-06-17T04:23:11Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/ts-webplug/v/3.0.5"}],"affected":[{"package":{"name":"ts-webplug","ecosystem":"npm","purl":"pkg:npm/ts-webplug"},"versions":["3.0.5"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-webplug/MAL-2026-5994.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"filename":"ts-webplug-3.0.5.tgz","hashes":{"sha512_sri":"sha512-Cu7DZU9tIoU2WPKGYLjSvvxZFwwhnMZzfxui+9lWUU9Mj0Lfpszh5f13P1VACDxY90dHAWjxGIpYxJu9/5lbkg==","sha1":"9a8c117f5c858572f806a8e03e7a5259034ec9b6"}}],"evidence_files":[{"sha256":"6e9c6643cf66d24db6350eb1c03d6f0f862243ee18ab557c9be20d847dff9f36","tlsh":"c2017b4a30fa605c015510f64b1fe4317012e4173c49e5c5378c87514fea5ae6963eed","path":"lib/caller.js"},{"sha256":"2956b023858d706a5e241cd28b845088e5f414c5f70bd5d8cb73cb427d081065","tlsh":"5d213c81b9f11188065cd9c8b569e53a38e3c4377207b9b0e9ec87862bcf2080272ad7","path":"index.js"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}