MAL-2026-6340

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rainbownkit/MAL-2026-6340.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6340
Published
2026-06-23T20:01:24Z
Modified
2026-06-23T21:01:21.428559488Z
Summary
Malicious code in rainbownkit (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (970be1fb6306ff1e8dc6119d96404f600a1eb44a47124e2910bb9237bb80fe9a)

Package 'rainbownkit' is a single-character typosquat of the popular Web3 library 'rainbowkit'. The shipped source, README, repository URL, and author metadata are copied verbatim from the unrelated 'big.js' arbitrary-precision math library — a developer installing this expecting RainbowKit instead receives big.js with an injected covert loader. The package's main entry (big.js and big.mjs, both referenced via main and exports) contains an injected try/catch around line 606 that runs at require/import time: const doc = require("parket-slot"); doc.from_str().then(e => {}).catch(e => {}). The 'parket-slot' module is not declared in package.json and would be pulled in transitively via the package's only declared runtime dependency 'log-taker' (^0.0.9), an undocumented niche package with no relation to the package's claimed purpose. All errors are silently swallowed, making the hidden execution invisible to the consumer. Anyone who runs require('rainbownkit') (or any code that imports it) executes whatever code the 'parket-slot' / 'log-taker' chain delivers at that moment — a classic two-hop dependency-confusion supply-chain payload combined with name impersonation of a high-traffic Web3 package.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "0.0.8"
            ],
            "id": "IN-MAL-2026-007354",
            "modified_time": "2026-06-23T20:01:24Z",
            "import_time": "2026-06-23T20:48:30.53507161Z",
            "sha256": "970be1fb6306ff1e8dc6119d96404f600a1eb44a47124e2910bb9237bb80fe9a",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / rainbownkit

Package

Affected ranges

Affected versions

0.*
0.0.8

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/rainbownkit/MAL-2026-6340.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "rainbownkit-0.0.8.tgz",
            "hashes": {
                "sha1": "06fc33f46ad8a5d4a6bf1d95eea59c386e3ad0e0",
                "sha512_sri": "sha512-Ru8xsXyJdZ+j5/0+qDdowD9yV3derEcpLi9ozzAiRBgH96SM2klwlc0NQcBsSlz4wwAdPQsvFSpLCfg25BCiLg=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "8ee421f3aa743362a6d8f3fbdb0192c1bba7411414379eee44c7072d69a2ae3f",
            "tlsh": "65210477c9a59da70af85ba47c6c03aaf1151b1f00a04c57b0bb130c4f3355b2095bbd"
        },
        {
            "path": "big.js",
            "sha256": "5b803b2bbd43db704b5802fa5bf4da96e79c3b876d74495116b53a837101dace",
            "tlsh": "24c2658c3ac67579593363788f4a5088eb38525712c8b186b4ae63b46f78cb107b5fdc"
        }
    ]
}