We found a malicious npm package pino-sdk-v2 impersonating pino, one of the most widely used Node.js loggers with nearly 20 million weekly downloads. The package is a near copy of pino’s source, docs, and README with one addition: an obfuscated payload in lib/tools.js that scans .env files for secrets and exfiltrates them to a Discord webhook on require().

pino-sdk-v2@9.9.0 copies pino’s entire source tree with a single modification: obfuscated credential stealing code injected into lib/tools.js

The payload scans .env, .env.local, .env.production, .env.development, and .env.example for secret keys

Extracted credentials are sent to a hardcoded Discord webhook

No install hooks. The code executes on require(), bypassing scanners that only flag install scripts