VDB
GCVE-110-OSM-2026-5876
GCVE-110-OSM-2026-5876
Advisory PublishedCVSS 9.6/10
This package is a trojanized clone of the legitimate winston logging library, published under the misleading name 'node-pino' by a brand-new single-package account. The attack chain is unambiguous: a postinstall hook runs 'npm run license', which executes lib/winston/license/index.js — a file that spawns a detached child process (detached:true, suppressed I/O) that survives the parent npm process and runs as a background payload. A companion file lib/winston/logger.js writes persistence via .profile, ensuring the payload survives reboot. The malicious axios dependency further indicates the actor is operating within a broader campaign infrastructure. The legitimate winston entrypoint (lib/winston.js) is copied intact to pass cursory inspection while the malicious logic is buried in the fabricated 'license' subdirectory.
ENTRY
lib/winston.js (main: ./lib/winston.js)
- Postinstall Script in package.json: ""postinstall": "npm run license""
PERSISTENCE
- Startup Persistence in dist/winston/logger.js: ".profile"
- Startup Persistence in lib/winston/logger.js: ".profile"
ADDITIONAL FINDINGS
- Shell Command Execution in dist/winston/license/index.js: "require('child_process')"
- Detached Child Process Payload in dist/winston/license/index.js: "spawn(process.execPath, [filePath], { detached: true"
- Malicious Dependency Detected in package.json
PAYLOAD FILES
dist/winston/license/index.js (+ lib/winston/license/index.js, dist/winston/logger.js)
INDICATORS (IOCs)
- urls: https://npmcharts.com/compare/winston?minimal=true, https://www.loggly.com/docs/api-retrieving-data/, https://mochajs.org
- domains: npmcharts.com, www.loggly.com, mochajs.org
- sha256Hashes: 1c7631aca0c00365e8a7e68dd11045e1d4475c909885d8dccd881f4dce9d0566
- payloadFileHash: 94befa5ef94dccc95b9253eee24bc2f17c08dddaf5aa23a2629f7abae228abef
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | node-pino | all (affected) | — |
Browse GCVE Records
73,738 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.