{"id":"MAL-2026-7009","summary":"Malicious code in configration (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (3255dd4ea4a24b3e000f6a8aadb9a022bc9aed07507124a595dd42ef0b429d6e)\nThe package impersonates the `pino` logger (README badges, `module.exports.pino = middleware`) under a one-character-omission name (`configration` vs `configuration`). When a consumer requires the package and invokes the exported middleware factory, `index.js` detaches a child process running `lib/initializeCaller.js`. That child decodes a base64-obfuscated URL stored under decoy field names (`DEV_API_KEY`, `DEV_SECRET_KEY`) inside a locally shadowed `process` object, resolving to `https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df`. It POSTs the entire spread `process.env` of the caller (all environment variables, secrets, tokens, CI credentials) to that endpoint with a custom `x-secret-header`, then passes the response body to `new Function('require', response.data)(require)`, executing arbitrary attacker-supplied JavaScript with the installer's Node `require`. This is a combined credential exfiltration + remote-code-execution channel gated only by requiring/loading the module.\n","modified":"2026-07-08T17:46:45.035561518Z","published":"2026-07-08T17:29:21Z","database_specific":{"malicious-packages-origins":[{"sha256":"3255dd4ea4a24b3e000f6a8aadb9a022bc9aed07507124a595dd42ef0b429d6e","modified_time":"2026-07-08T17:29:21Z","id":"IN-MAL-2026-008168","import_time":"2026-07-08T17:40:19.56806634Z","source":"amazon-inspector","versions":["2.3.5"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/configration/v/2.3.5"}],"affected":[{"package":{"name":"configration","ecosystem":"npm","purl":"pkg:npm/configration"},"versions":["2.3.5"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-Esz6++0SGuHBQV9dyGFZipiaACPicI1zv7Wdb7ijl3GD+Xs64h5tI6IrUckTRoe/QJEnbzt/3aKw2uZeRqEgDw==","sha1":"997f2bcdfc3fd47b39c3768f1aa40f749523a3ab"},"filename":"configration-2.3.5.tgz"}],"evidence_files":[{"sha256":"fc61b0ed62e346bfbb5e1e093e475d8b3065247dc8d315f0ea4e7cafd9661bad","path":"lib/initializeCaller.js","tlsh":"f921f38e15fe101d066751e6bb2f24027022e8133946d4a47bcc835b1fc966e99936df"},{"sha256":"269e2a4c69d62645e696bc5c7cbacc391d0d26487d9d216c63714d2ca7b5015a","path":"package.json","tlsh":"88019c60ce788e2300ed26825c2e064376718c175928fc1932db512c0f9d4bf01bf21d"}]},"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/configration/MAL-2026-7009.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}