VDB

GCVE-110-OSM-2026-5876

GCVE-110-OSM-2026-5876
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
This package is a trojanized clone of the legitimate winston logging library, published under the misleading name 'node-pino' by a brand-new single-package account. The attack chain is unambiguous: a postinstall hook runs 'npm run license', which executes lib/winston/license/index.js — a file that spawns a detached child process (detached:true, suppressed I/O) that survives the parent npm process and runs as a background payload. A companion file lib/winston/logger.js writes persistence via .profile, ensuring the payload survives reboot. The malicious axios dependency further indicates the actor is operating within a broader campaign infrastructure. The legitimate winston entrypoint (lib/winston.js) is copied intact to pass cursory inspection while the malicious logic is buried in the fabricated 'license' subdirectory. ENTRY lib/winston.js (main: ./lib/winston.js) - Postinstall Script in package.json: ""postinstall": "npm run license"" PERSISTENCE - Startup Persistence in dist/winston/logger.js: ".profile" - Startup Persistence in lib/winston/logger.js: ".profile" ADDITIONAL FINDINGS - Shell Command Execution in dist/winston/license/index.js: "require('child_process')" - Detached Child Process Payload in dist/winston/license/index.js: "spawn(process.execPath, [filePath], { detached: true" - Malicious Dependency Detected in package.json PAYLOAD FILES dist/winston/license/index.js (+ lib/winston/license/index.js, dist/winston/logger.js) INDICATORS (IOCs) - urls: https://npmcharts.com/compare/winston?minimal=true, https://www.loggly.com/docs/api-retrieving-data/, https://mochajs.org - domains: npmcharts.com, www.loggly.com, mochajs.org - sha256Hashes: 1c7631aca0c00365e8a7e68dd11045e1d4475c909885d8dccd881f4dce9d0566 - payloadFileHash: 94befa5ef94dccc95b9253eee24bc2f17c08dddaf5aa23a2629f7abae228abef

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownnode-pinoall (affected)

References

vendor

Browse GCVE Records

73,738 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›