Which versions of node-denv are malicious?

The following npm versions of node-denv are flagged malicious: 1.3.5. Treat any of these as compromised.

How do I remediate node-denv if I installed it?

Remove node-denv from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is node-denv part of a known attack campaign?

Yes — node-denv is associated with the IN-MAL-2026-006319, IN-MAL-2026-006320 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect node-denv in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking node-denv and packages like it before any post-install script runs.

Malicious package

node-denvnpm

Malicious code in node-denv (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5734

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall node-denv

What this malware does

node-denv presents itself as a pino-compatible logging middleware (index.js exports module.exports.pino = middleware and mimics pino's option shape including DEFAULT_LEVELS, formatters.bindings, redact, and customLevels). When a consumer instantiates the middleware, the package spawns a detached node lib/caller.js child process. lib/caller.js performs an HTTPS GET against https://jsonkeeper.com/b/EXSIF, reads the .cookie field from the JSON response, and passes it to new Function.constructor("require", s) invoked with the real require — granting the remotely-fetched JavaScript full Node.js capabilities (filesystem, network, child_process, env). The fetch is retried up to 5 times. A second jsonkeeper.com payload URL (https://jsonkeeper.com/b/ZK45J) is base64-encoded as DEV_API_KEY in lib/const.js as a fallback C2. jsonkeeper.com is an anonymous mutable JSON paste host — the attacker can change the executed payload at any time without republishing the package. The pino impersonation lures developers searching for the popular logger into installing this package, at which point any normal use triggers remote code execution on the installer's machine.

Malicious versions

1 flagged

1.3.5

Indicators of compromise (SHA-256)

1b0701ad772209918c78eb4d038cce43946517f3558cbec1988c121c115a641d

86a9df69748eedf7adab541a4701076fcfede5edbb2c492c29e8094cf2efc9ad

Frequently asked questions

No. node-denv on npm has been identified as a malicious package (version 1.3.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006319IN-MAL-2026-006320

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection