react-next-vite @1.2.9
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 2:45 AM UTC
OSV ID
MAL-2026-10211
Ecosystem
npm
Summary
The package impersonates the pino logger (README/badges reference pino; module.exports.pino is the middleware) while its name is react-next-vite. When a consumer invokes the exported middleware factory in index.js, it spawns 'node lib/caller.js' as a detached child with stdio:'ignore' and calls child.unref(), hiding output from the parent process. lib/caller.js retrieves a JavaScript payload from a mutable IPFS gateway URL (bronze-improved-gibbon-411.mypinata.cloud/ipfs/bafkrei...) via axios.get and passes the response body to Function.constructor, invoking the resulting function with require in scope — giving the retrieved code full access to the host's Node runtime. Additional endpoints are hidden as base64-encoded strings in a fake process.env-shaped object in lib/caller.js and lib/const.js (e.g., DEV_API_KEY decodes to https://jsonkeeper.com/b/XRGF3), acting as a second-stage config channel. The combination of identity impersonation, stealth-spawned detached child, opaque remote-fetch-and-eval with require, and base64-hidden config URLs is a fully weaponized dropper that runs on any consumer that uses the module's default export.
Source: amazon-inspector (286869faf09aec1d62b472e43a7188a1583c5cf8c999d1fb2e116f0b7f5ba8c6)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.