MAL-2026-10622
Malicious code in chai-as-structured (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (9508b72d48575443d9e68f1da1ef6bdd1ebc9351f271fba56b563701f03e56e2) The package name evokes chai-as-promised but the shipped code presents itself as pino middleware. When the middleware factory in index.js is invoked, it spawns a detached node child process running lib/initializeCaller.js. That script constructs a fake process.env stub whose DEV_API_KEY, DEV_SECRET_KEY, and DEV_SECRET_VALUE fields are base64 blobs that decode to a URL and request headers pointing at https://tomato-brunhilda-40.tiiny.site/index.json (an anonymous file-hosting host). The response's cookie field is passed to new Function.constructor('require', response) with the host's require handed in, giving the fetched string full Node privileges. The base64 concealment, misleading DEV_API_KEY naming, detached child launch, and typosquat-style package name are consistent with intentional supply-chain attack tradecraft rather than any legitimate loader.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for chai-as-structured (npm). Pin to a known-safe version or switch to an alternative.