VDB
KO

MAL-2026-10406

Malicious code in async-chain-dom (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0f2ce6eed4ea7607d2f12f602b43b354b91ceba4cabdc761f569c3e1dc29b6f6) On require, index.js spawns a detached, unref'd `node lib/vcall.js` child process. lib/vcall.js fetches JavaScript from https://api.jsonsilo.com/public/df71fd55-4f0c-4326-9b5b-a285e38023a5, extracts the `.model` field from the response, and executes it via `new Function.constructor("require", src)` with `require` passed in, giving the remote endpoint arbitrary code execution inside the installer's Node process. The detached+unref pattern decouples the loader from the parent lifecycle so it persists after the consumer process exits, and a retry loop keeps the fetch running. The package masquerades as the pino logger (module.exports.pino = vCheck; keywords fast/logger/stream/json; lib files mimicking pino) despite the name async-chain-dom, providing a cover story for a developer to require it. The remote endpoint is a mutable jsonsilo.com blob under attacker control, so the executed payload can be swapped at any time.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / async-chain-dom

No fixed version published yet for async-chain-dom (npm). Pin to a known-safe version or switch to an alternative.

References