⛔ Malware Advisory Detected 2026-06-24 · 00:02 UTC
Confirmed malicious. codelake independently detected this at 2026-06-24 · 00:02 UTC — OSV documented it first (2026-06-22 21:53 UTC, ~2 days earlier); codelake detected and archived version 1.0.127 independently on 2026-06-24 — npm has since removed it and left only a 0.0.1-security tombstone, so codelake retains the original artifact.. Also documented publicly: MAL-2026-6273 (OSV, 2026-06-22 21:53 UTC).
Advisory · CLR-2026-2988

A multi-stage credential stealer hiding inside a fake “zod-pino” utility

The npm package [email protected] posed as a simple integration of the popular zod and pino libraries. On install it silently bootstraps a persistent agent that harvests crypto wallets, browser credentials, Chromium extension databases, Discord tokens, the clipboard and secret files, and exfiltrates them to a hardcoded C2 relay plus Discord and HuggingFace. codelake captured the original artifact before it was pulled from the registry.

CriticalConfirmed maliciousStealer / RATnpmAI + IOC verified
Summary

The npm package zod-pino (version 1.0.127) presented itself as a lightweight bridge between two of npm's most-downloaded libraries — zod (schema validation) and pino (logging). Its actual purpose was the opposite of benign: a multi-stage information stealer with remote-control (RAT) capabilities, staged across dozens of files so a shallow scan would miss it.

The malicious behaviour is not hidden in the source you read on the registry page — it fires from a chain of postinstall lifecycle scripts that run automatically on npm install, before the developer ever imports the package. Those scripts materialise and start a long-running agent and keep it alive via a process manager, so a single install compromises the machine and survives reboots.

codelake detected and archived version 1.0.127 within its continuous npm scan. The package has since been removed from the registry and replaced by an empty 0.0.1-security placeholder — meaning the working sample and the evidence below are preserved in the codelake archive.

How it works — the kill-chain

1 · Disguise. The package name and metadata impersonate a routine zod+pino utility (main: dist/index.js); nothing in the public listing hints at the payload.

2 · Auto-execution on install. A five-stage postinstall chain runs on npm install — a clipboard hook, a “durable-materialize” step, a bootstrap step and an agent launcher — dropping and starting a resident process without any action from the victim.

3 · Persistence. The agent is registered with a process manager (pm2 daemon + autostart), and Windows PowerShell helpers disguise it as a “windows-update” task — so it restarts on boot and resists casual cleanup.

4 · Harvest. The agent targets crypto wallets (wallet.dat), Chromium credential stores (Login Data), Chromium extension databases, Discord tokens, the clipboard, live desktop input, and any file matching a bundled secret-filename pattern list — reaching into ~/ and AppData.

5 · Exfiltration. Collected data is shipped to a hardcoded C2 relay at 212.193.3.61:9877, and additionally out via Discord webhooks and HuggingFace Hub uploads — abusing legitimate services as exfil channels to blend in.

The package documents its own capabilities

Unusually, the sample ships a large test suite whose file names read like a feature list of the malware itself: chromium-extension-db-harvest, extension-db-hf-upload, discord-bot-tokens, discord-relay-upload, clipboard-session, desktop-input-sync, hf-hub-upload-streaming, secret-filename-scan, agent-secret-audit. Each corresponds to a real capability confirmed by the file structure and the postinstall chain — leaving little ambiguity about intent.

Indicators of Compromise
C2212.193.3.61:9877 (hardcoded relay — HTTP, validated routable)
PKG[email protected] (npm) — removed; replaced by 0.0.1-security tombstone
HOOKpostinstall chain → …-bootstrap.mjs / …-agent.mjs (persistent agent via pm2 + autostart)
EXFILDiscord webhooks + HuggingFace Hub uploads (legitimate services abused as exfil channels)
SHAb216b78cf665c4c48edebcf3e960a73632ce5056f336aea2f11afce845cf0499 · zod-pino-1.0.127.tgz
Remediation
#ActionPriority
01 Assume full compromise. Any machine that installed or ran this package should be treated as compromised — rotate every credential, token and wallet from a different, clean machine. Immediate
02 Kill persistence. Remove the package, stop and delete the pm2 agent/daemon and any autostart entry, and check Windows scheduled tasks for the “windows-update” disguise. Immediate
03 Block + hunt the C2. Block 212.193.3.61:9877 and review outbound traffic (incl. Discord / HuggingFace) for exfil during the exposure window. High
04 Audit your dependency tree for typosquat/impersonation packages and pin/lock versions; treat postinstall scripts as an execution boundary. High

Detected and confirmed by codelake Research · continuous npm scanning + AI malware triage + deterministic IOC extraction · independently corroborated by OSV MAL-2026-6273. The original artifact is preserved in the codelake archive and available to verified security researchers on request.

No working payload or reproduction is published here — the technique is described, not reproduced.