ts-webplug@3.0.5 impersonates the pino logger (exports named pino, lib/ tree mirroring pino's file layout, keywords fast/logger/stream/json) but its main export wires consumers into a remote-code-execution dropper. index.js's middleware export spawns a detached node lib/caller.js (spawn('node', [...], { detached: true, stdio: 'ignore' }) followed by child.unref()) so the child survives the parent. caller.js then fetches JavaScript from https://jsonkeeper.com/b/U2BTS (an anonymous, mutable JSON-paste host) and executes the response's cookie field with new Function.constructor('require', s); handler(require), granting the remote payload full Node require() access on the installer's machine. Decoy process.env strings (DEV_API_KEY etc.) base64-decode to additional jsonkeeper.com URLs. The harm fires whenever a consumer imports the package and invokes the default/pino-named middleware — a path developers reach immediately when they install what they believe is a pino-shaped logger.