-= Per source details. Do not edit below this line.=-
The package impersonates the pino logger (README/badges reference pino; module.exports.pino is the middleware) while its name is react-next-vite. When a consumer invokes the exported middleware factory in index.js, it spawns 'node lib/caller.js' as a detached child with stdio:'ignore' and calls child.unref(), hiding output from the parent process. lib/caller.js retrieves a JavaScript payload from a mutable IPFS gateway URL (bronze-improved-gibbon-411.mypinata.cloud/ipfs/bafkrei...) via axios.get and passes the response body to Function.constructor, invoking the resulting function with require in scope — giving the retrieved code full access to the host's Node runtime. Additional endpoints are hidden as base64-encoded strings in a fake process.env-shaped object in lib/caller.js and lib/const.js (e.g., DEVAPIKEY decodes to https://jsonkeeper.com/b/XRGF3), acting as a second-stage config channel. The combination of identity impersonation, stealth-spawned detached child, opaque remote-fetch-and-eval with require, and base64-hidden config URLs is a fully weaponized dropper that runs on any consumer that uses the module's default export.
{
"malicious-packages-origins": [
{
"sha256": "286869faf09aec1d62b472e43a7188a1583c5cf8c999d1fb2e116f0b7f5ba8c6",
"id": "IN-MAL-2026-009764",
"import_time": "2026-07-12T21:20:01.471395599Z",
"modified_time": "2026-07-12T20:48:42Z",
"versions": [
"1.2.9"
],
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "13d3d1c547055c01ee7b7c682a0aef2c89a26a18ccaecf8fecb3781ec2066a7b",
"tlsh": "7d01d05e30fa505c416164f61a1be4316021f4573949d5c8378c83928fea5ae6db3eed",
"path": "lib/caller.js"
},
{
"sha256": "2956b023858d706a5e241cd28b845088e5f414c5f70bd5d8cb73cb427d081065",
"tlsh": "5d213c81b9f11188065cd9c8b569e53a38e3c4377207b9b0e9ec87862bcf2080272ad7",
"path": "index.js"
}
],
"package_integrity": [
{
"filename": "react-next-vite-1.2.9.tgz",
"hashes": {
"sha512_sri": "sha512-xx3PqDG6gg5ryI7HpJGAG+BCjJSMc3uZsc1OAfPD7auCCz5XGlj8SLgZvO/QSEyUia6C+5qMrShoqRLZfUnmxg==",
"sha1": "9dda5499e3b1de95c9364086953d3aa7563a815b"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-next-vite/MAL-2026-10211.json"