Vulnerability
Malicious code in node-denv (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (1b0701ad772209918c78eb4d038cce43946517f3558cbec1988c121c115a641d) node-denv presents itself as a pino-compatible logging middleware (index.js exports `module.exports.pino = middleware` and mimics pino's option shape including DEFAULT_LEVELS, formatters.bindings, redact, and customLevels). When a consumer instantiates the middleware, the package spawns a detached `node lib/caller.js` child process. lib/caller.js performs an HTTPS GET against https://jsonkeeper.com/b/EXSIF, reads the `.cookie` field from the JSON response, and passes it to `new Function.constructor("require", s)` invoked with the real `require` — granting the remotely-fetched JavaScript full Node.js capabilities (filesystem, network, child_process, env). The fetch is retried up to 5 times. A second jsonkeeper.com payload URL (https://jsonkeeper.com/b/ZK45J) is base64-encoded as `DEV_API_KEY` in lib/const.js as a fallback C2. jsonkeeper.com is an anonymous mutable JSON paste host — the attacker can change the executed payload at any time without republishing the package. The pino impersonation lures developers searching for the popular logger into installing this package, at which point any normal use triggers remote code execution on the installer's machine.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence