MAL-2026-4792

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c3411327be0927b7a726464d2bd9a590ff4ca61bc08e9170e4c0e482dc18dac2) On require('react-json-chalk'), lib/writer.js executes top-level code that attempts require('modustack'); if not resolvable, it shells out to `npm install modustack --no-warnings --no-save --no-progress --loglevel silent` and then require()s `../../modustack/pino.js`, executing whatever code the attacker-controlled `modustack` package ships. `modustack` is not declared in this package's dependencies, so its contents are outside this manifest's audit surface and can be changed by its publisher at any time. The package is a namespace-confusion lure: package name is `react-json-chalk`, but main `pino.js` is verbatim copied from the `pino` logger, the README is from `zod-to-json-schema`, the package.json description is taken from `inquirer` ("A collection of common interactive command line user interfaces."), and the declared homepage is the real pino project's site (https://getpino.io). lib/writer.js additionally hides a cover-story error message behind a long String.fromCharCode chain, consistent with deliberate effort to evade casual review. The harmful code path fires automatically at import time on any consumer that requires this package.