We found a malicious npm package pino-sdk-v2 impersonating pino, one of the most widely used Node.js loggers with nearly 20 million weekly downloads. The package is a near copy of pino’s source, docs, and README with one addition: an obfuscated payload in lib/tools.js that scans .env files for secrets and exfiltrates them to a Discord webhook on require().
[email protected] copies pino’s entire source tree with a single modification: obfuscated credential stealing code injected into lib/tools.js
The payload scans .env, .env.local, .env.production, .env.development, and .env.example for secret keys
Extracted credentials are sent to a hardcoded Discord webhook
No install hooks. The code executes on require(), bypassing scanners that only flag install scripts
[email protected] copies pino’s entire source tree with a single modification: obfuscated credential stealing code injected into lib/tools.js
The payload scans .env, .env.local, .env.production, .env.development, and .env.example for secret keys
Extracted credentials are sent to a hardcoded Discord webhook
No install hooks. The code executes on require(), bypassing scanners that only flag install scripts