MAL-2026-10082
Malicious code in chain-async-dom (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (54cd392461a3d805dd24f6bc67d354498531f9b42352e8e0c17205351dcccf0b) The package presents itself as a pino-compatible logger (lib/ directory mirrors pino's internal file layout — proto.js, levels.js, redaction.js, multistream.js, transport.js, tools.js, symbols.js, worker.js; keywords 'fast,logger,stream,json'; module.exports.pino alias) but its main entry index.js exports a middleware-style `check` function that, when invoked, spawns a detached `node lib/vcall.js` subprocess with `stdio:'inherit'` and `child.unref()` so the loader survives the parent process. lib/vcall.js retrieves JavaScript from a hardcoded IPFS gateway URL (https://emerald-accurate-urial-9.mypinata.cloud/ipfs/bafkreify2ijjvromekknzxzvqaopft6muwlpl37mvmpdeazwzzkbjzkuxm) via axios and executes the response body with `new Function.constructor('require', src)(require)` in a 5-retry loop, giving the fetched code full access to the consumer's Node runtime, filesystem, network, and environment. lib/const.js additionally ships a base64-encoded jsonkeeper paste URL (decodes to https://jsonkeeper.com/b/ZK45J) and a.env with DEV_API_CHECK_DOMAIN=http://vercel-five-coral.vercel.app/, staging additional mutable payload channels. The IPFS-served content is attacker-mutable and opaque; consumers who install and invoke this package as advertised (as a logger/middleware) receive arbitrary remote code execution.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for chain-async-dom (npm). Pin to a known-safe version or switch to an alternative.