MAL-2026-10406
Malicious code in async-chain-dom (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (0f2ce6eed4ea7607d2f12f602b43b354b91ceba4cabdc761f569c3e1dc29b6f6) On require, index.js spawns a detached, unref'd `node lib/vcall.js` child process. lib/vcall.js fetches JavaScript from https://api.jsonsilo.com/public/df71fd55-4f0c-4326-9b5b-a285e38023a5, extracts the `.model` field from the response, and executes it via `new Function.constructor("require", src)` with `require` passed in, giving the remote endpoint arbitrary code execution inside the installer's Node process. The detached+unref pattern decouples the loader from the parent lifecycle so it persists after the consumer process exits, and a retry loop keeps the fetch running. The package masquerades as the pino logger (module.exports.pino = vCheck; keywords fast/logger/stream/json; lib files mimicking pino) despite the name async-chain-dom, providing a cover story for a developer to require it. The remote endpoint is a mutable jsonsilo.com blob under attacker control, so the executed payload can be swapped at any time.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for async-chain-dom (npm). Pin to a known-safe version or switch to an alternative.