{"id":"MAL-2026-6583","summary":"Malicious code in pino-debugging (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (2f34694171d099a29f77430359b02afb82c2333967feb1ec6e0bd845b98244b9)\nPackage name impersonates the legitimate pino-debug. The main entry index.js requires a transitive dependency ('loadutils') that pulls a further dependency contacting a hardcoded C2 at https://fundraiser-success.vercel.app and executing a delivered payload in the consumer's Node process. Loading occurs at any require()/import of pino-debugging. index.js additionally mutates require('module').wrap at top level to rewrite require() inside any node_modules/debug module so that consumers of the popular 'debug' package are silently routed through this package's shim, expanding reach across the dependency tree. Shipped files (PUBLISH_GUIDE.md, CHANGELOG.md) openly describe the package as a supply-chain attack chain (pino-debugging -\u003e debug-fnt/loadutils -\u003e debug-glitzs -\u003e C2 at fundraiser-success.vercel.app -\u003e payload execution, including screenshot capture), while the README is copied from pino-debug and additional SECURITY*.md files assert 'Zero Known Vulnerabilities' and 'Production Ready' as cover.\n","modified":"2026-06-29T07:16:42.216468982Z","published":"2026-06-29T06:27:23Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-007766","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"modified_time":"2026-06-29T06:27:33Z","versions":["1.1.3"],"import_time":"2026-06-29T07:09:11.057165316Z","source":"amazon-inspector","sha256":"2f34694171d099a29f77430359b02afb82c2333967feb1ec6e0bd845b98244b9"},{"id":"IN-MAL-2026-007765","ranges":[{"events":[{"introduced":"0"}],"type":"SEMVER"}],"versions":["1.1.4"],"modified_time":"2026-06-29T06:27:23Z","import_time":"2026-06-29T07:09:11.000841771Z","source":"amazon-inspector","sha256":"7a1dec01ea37a9f36226fd542dd6dc519bb7e5a398895f29191aec15ac7c9e5f"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/pino-debugging/v/1.1.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/pino-debugging/v/1.1.4"}],"affected":[{"package":{"name":"pino-debugging","ecosystem":"npm","purl":"pkg:npm/pino-debugging"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"versions":["1.1.3","1.1.4"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"fa0262ba4183e26d0737919bd01cb576ea6fe13f6e82c59cb0bd02282349db9431729d","path":"PUBLISH_GUIDE.md","sha256":"44079cad7f5c93e95aa11c6a691672c3c8f2935b5aa12e06d218a7ace9851a1c"},{"tlsh":"f591525839e7f0d26633a7b1c52f2411faba94231136e461f6cc91902fb210452baee9","path":"index.js","sha256":"07375404832e92c062958515e03544d273c0c2552e933d33238f46d1bddaaf81"},{"tlsh":"88c16478b20b75279397069bd55f32732f79e65ea722102e44ac829c73436b4a36f07c","path":"CHANGELOG.md","sha256":"1f5ca542b6efdeeddeebde29dc30052d97f96828b268656b5cf3234ffc28af0c"}],"package_integrity":[{"hashes":{"sha1":"2d50ff38b7aac4a6a16830f1e803c004042a398a","sha512_sri":"sha512-3Vx4D/tXzRa2KDI7uBgOkuGptoMhiqi7894h0pgKeUWLtn/yW8NMrrBHbSSIpjZ/Z6G+9+g34I9Gcx8QbtpNYw=="},"filename":"pino-debugging-1.1.3.tgz"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/pino-debugging/MAL-2026-6583.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}