malware npm

tslint-conf

discovered 2026-07-09

Repackaged pino logger (all lib/*.js, docs/, index.d.ts are pino's) with a decoy README, carrying a runtime-call-triggered RCE backdoor. Malicious files pino lacks: index.js (main), lib/caller.js, lib/const.js. Requiring it is inert; the payload fires only when the exported middleware is called (e.g. app.use(require('tslint-conf')())), spawning a detached node child running lib/caller.js which axios-GETs a Pinata IPFS gateway (header x-secret-key: _), reads resp.data.cookie, and executes it via Function.constructor with the real require+process in scope (RCE). lib/const.js is orphaned and carries a second base64 jsonkeeper dead-drop (b/4NAKK) linking to the first pair. No install lifecycle hook. Declares axios/request/sqlite3/parse-json: sqlite3+request SUSPECT browser cookie/credential SQLite theft in the UNFETCHED stage-2 (inferred from the manifest, NOT observed code; credential_stealer NOT asserted in threat_types). OSV MAL-2026-7022. Forged author Alexus111 <[email protected]>. Published 2026-07-07 by npm account conodeeth. SafeDep isMalware=true CONFIDENCE_HIGH.

Threat types

c2_agent data_exfiltration other

Malicious versions

  • 7.2.1 · d4b7add83e5c716b…

Campaigns

Indicators

Techniques

Read the full analysis →