tslint-conf
discovered 2026-07-09Repackaged pino logger (all lib/*.js, docs/, index.d.ts are pino's) with a decoy README, carrying a runtime-call-triggered RCE backdoor. Malicious files pino lacks: index.js (main), lib/caller.js, lib/const.js. Requiring it is inert; the payload fires only when the exported middleware is called (e.g. app.use(require('tslint-conf')())), spawning a detached node child running lib/caller.js which axios-GETs a Pinata IPFS gateway (header x-secret-key: _), reads resp.data.cookie, and executes it via Function.constructor with the real require+process in scope (RCE). lib/const.js is orphaned and carries a second base64 jsonkeeper dead-drop (b/4NAKK) linking to the first pair. No install lifecycle hook. Declares axios/request/sqlite3/parse-json: sqlite3+request SUSPECT browser cookie/credential SQLite theft in the UNFETCHED stage-2 (inferred from the manifest, NOT observed code; credential_stealer NOT asserted in threat_types). OSV MAL-2026-7022. Forged author Alexus111 <[email protected]>. Published 2026-07-07 by npm account conodeeth. SafeDep isMalware=true CONFIDENCE_HIGH.
Threat types
Malicious versions
- 7.2.1 · d4b7add83e5c716b…
Campaigns
Indicators
- url https://jsonkeeper.com/b/XRGF3communicates-with
- domain jsonkeeper.comcommunicates-with
- domain peach-eligible-penguin-917.mypinata.cloudcommunicates-with
- url https://peach-eligible-penguin-917.mypinata.cloud/ipfs/bafkreigjnxn5vnn34rc5r43ajwwkmk4akqpm4awmq5gdhakgszpeqiffsucommunicates-with
- url https://jsonkeeper.com/b/4NAKKindicates
- sha256 d4b7add83e5c716b5e52082f713d71ec9d7bfd93e358d500d77c2393302dd004indicates
- sha256 2956b023858d706a5e241cd28b845088e5f414c5f70bd5d8cb73cb427d081065indicates
- sha256 541c35bd90653c9d7f93cdadb7f52c281d7a1375ffc9c0e118cf1d9df977dea7indicates
- sha256 d10853dde92fdc48d8cb5505d89e0030fd35e1416a16a820fe5ec4aceef01c4findicates
- email [email protected]indicates
- domain jsonspack.comindicates
- email [email protected]indicates
Techniques
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1140 Deobfuscate/Decode Files or Informationuses
- ttp T1102 Web Serviceuses
- ttp T1105 Ingress Tool Transferuses
- ttp T1622 Debugger Evasionuses
- ttp T1195.002 Compromise Software Supply Chainuses