Malicious code in node-denv (npm)

__

Source: amazon-inspector (1b0701ad772209918c78eb4d038cce43946517f3558cbec1988c121c115a641d)

node-denv presents itself as a pino-compatible logging middleware (index.js exports module.exports.pino = middleware and mimics pino's option shape including DEFAULT_LEVELS, formatters.bindings, redact, and customLevels). When a consumer instantiates the middleware, the package spawns a detached node lib/caller.js child process. lib/caller.js performs an HTTPS GET against https://jsonkeeper.com/b/EXSIF, reads the .cookie field from the JSON response, and passes it to new Function.constructor("require", s) invoked with the real require — granting the remotely-fetched JavaScript full Node.js capabilities (filesystem, network, child_process, env). The fetch is retried up to 5 times. A second jsonkeeper.com payload URL (https://jsonkeeper.com/b/ZK45J) is base64-encoded as DEV_API_KEY in lib/const.js as a fallback C2. jsonkeeper.com is an anonymous mutable JSON paste host — the attacker can change the executed payload at any time without republishing the package. The pino impersonation lures developers searching for the popular logger into installing this package, at which point any normal use triggers remote code execution on the installer's machine.