The pino-debugging npm package (versions 1.1.3 and 1.1.4) is a malicious package impersonating the legitimate pino-debug. Its main entry point requires a transitive dependency 'loadutils' that further depends on code contacting a hardcoded C2 server at https://fundraiser-success.vercel.app. This server delivers a payload executed in the consumer's Node.js process. Additionally, pino-debugging mutates Node's require('module').wrap function to rewrite require calls inside any node_modules/debug module, effectively routing consumers of the widely used debug package through its malicious shim. The shipped files openly describe this attack chain, including payload execution and screenshot capture, while the README and SECURITY files falsely assert the package is production ready and free of vulnerabilities.

Consumers of the pino-debugging package versions 1.1.3 and 1.1.4 risk executing arbitrary malicious code delivered from a remote command-and-control server within their Node.js environment. This includes potential unauthorized actions such as screenshot capture. The package's modification of the module loading system allows it to silently affect other dependencies that use the debug package, increasing the attack surface and potential impact across the dependency tree.

No official patch or remediation is currently documented for this malicious package. Users should immediately remove pino-debugging versions 1.1.3 and 1.1.4 from their projects and dependency trees. Avoid installing or using this package. Verify dependencies to ensure no transitive inclusion of pino-debugging. Monitor for any suspicious network connections to fundraiser-success.vercel.app and audit Node.js processes for unauthorized code execution. Patch status is not yet confirmed — check vendor advisories or trusted sources for updates.