MAL-2026-10504
Malicious code in chai-as-verified (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (fece219fd09d83bc6a41135483cf3ce8cd2769c22e7776c22d0eb97d65852dd5) Package name typosquats chai-as-promised while its package.json advertises unrelated logger/vulnerability-management metadata. On require, index.js invokes a middleware() that spawns a detached `node` child process running lib/initializeCaller.js with stdio ignored and unref()'d. That child decodes a base64-hidden URL (https://tomato-brunhilda-40.tiiny.site/index.json) from a shadowed `process.env` object, fetches the JS response with a base64-decoded header name `x-secret-key`, and executes it via `new Function.constructor("require", response)(require)`, granting the remote payload full Node require access. The C2 URL, header name, and header value are stored as base64 to hide them from static analysis.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for chai-as-verified (npm). Pin to a known-safe version or switch to an alternative.