VDB
KO

MAL-2026-10211

Malicious code in react-next-vite (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (286869faf09aec1d62b472e43a7188a1583c5cf8c999d1fb2e116f0b7f5ba8c6) The package impersonates the pino logger (README/badges reference pino; module.exports.pino is the middleware) while its name is react-next-vite. When a consumer invokes the exported middleware factory in index.js, it spawns 'node lib/caller.js' as a detached child with stdio:'ignore' and calls child.unref(), hiding output from the parent process. lib/caller.js retrieves a JavaScript payload from a mutable IPFS gateway URL (bronze-improved-gibbon-411.mypinata.cloud/ipfs/bafkrei...) via axios.get and passes the response body to Function.constructor, invoking the resulting function with require in scope — giving the retrieved code full access to the host's Node runtime. Additional endpoints are hidden as base64-encoded strings in a fake process.env-shaped object in lib/caller.js and lib/const.js (e.g., DEV_API_KEY decodes to https://jsonkeeper.com/b/XRGF3), acting as a second-stage config channel. The combination of identity impersonation, stealth-spawned detached child, opaque remote-fetch-and-eval with require, and base64-hidden config URLs is a fully weaponized dropper that runs on any consumer that uses the module's default export.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / react-next-vite

No fixed version published yet for react-next-vite (npm). Pin to a known-safe version or switch to an alternative.

References