MAL-2026-10211

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-next-vite/MAL-2026-10211.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10211
Published
2026-07-12T20:48:42Z
Modified
2026-07-12T21:31:52.944694893Z
Summary
Malicious code in react-next-vite (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (286869faf09aec1d62b472e43a7188a1583c5cf8c999d1fb2e116f0b7f5ba8c6)

The package impersonates the pino logger (README/badges reference pino; module.exports.pino is the middleware) while its name is react-next-vite. When a consumer invokes the exported middleware factory in index.js, it spawns 'node lib/caller.js' as a detached child with stdio:'ignore' and calls child.unref(), hiding output from the parent process. lib/caller.js retrieves a JavaScript payload from a mutable IPFS gateway URL (bronze-improved-gibbon-411.mypinata.cloud/ipfs/bafkrei...) via axios.get and passes the response body to Function.constructor, invoking the resulting function with require in scope — giving the retrieved code full access to the host's Node runtime. Additional endpoints are hidden as base64-encoded strings in a fake process.env-shaped object in lib/caller.js and lib/const.js (e.g., DEVAPIKEY decodes to https://jsonkeeper.com/b/XRGF3), acting as a second-stage config channel. The combination of identity impersonation, stealth-spawned detached child, opaque remote-fetch-and-eval with require, and base64-hidden config URLs is a fully weaponized dropper that runs on any consumer that uses the module's default export.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "286869faf09aec1d62b472e43a7188a1583c5cf8c999d1fb2e116f0b7f5ba8c6",
            "id": "IN-MAL-2026-009764",
            "import_time": "2026-07-12T21:20:01.471395599Z",
            "modified_time": "2026-07-12T20:48:42Z",
            "versions": [
                "1.2.9"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / react-next-vite

Package

Affected ranges

Affected versions

1.*
1.2.9

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "13d3d1c547055c01ee7b7c682a0aef2c89a26a18ccaecf8fecb3781ec2066a7b",
            "tlsh": "7d01d05e30fa505c416164f61a1be4316021f4573949d5c8378c83928fea5ae6db3eed",
            "path": "lib/caller.js"
        },
        {
            "sha256": "2956b023858d706a5e241cd28b845088e5f414c5f70bd5d8cb73cb427d081065",
            "tlsh": "5d213c81b9f11188065cd9c8b569e53a38e3c4377207b9b0e9ec87862bcf2080272ad7",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "react-next-vite-1.2.9.tgz",
            "hashes": {
                "sha512_sri": "sha512-xx3PqDG6gg5ryI7HpJGAG+BCjJSMc3uZsc1OAfPD7auCCz5XGlj8SLgZvO/QSEyUia6C+5qMrShoqRLZfUnmxg==",
                "sha1": "9dda5499e3b1de95c9364086953d3aa7563a815b"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-next-vite/MAL-2026-10211.json"