VDB
KO

MAL-2026-10630

Malicious code in chai-as-byte (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (a6820ba756fd8d2eb81435c478feb269e34f2aea859e42b42861d0a28f914a1f) On require of the package's main entry, index.js detaches a child process that runs lib/initializeCaller.js. That script posts the caller's entire process.env to a base64-obfuscated URL (decoded destination: https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df) using axios, then passes the response body to `new Function('require', response.data)` and invokes it with the module `require` — giving the remote endpoint arbitrary code execution on the installer's host with full module access. The package name mimics the chai-as-* family while its metadata advertises a JSON logger, and neither role is implemented in the shipped code; the main entry silently spawns the exfil/RCE task instead of exposing any library API. The bulk-environment upload captures CI secrets, cloud tokens, and API keys that live in process.env in typical build environments.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / chai-as-byte

No fixed version published yet for chai-as-byte (npm). Pin to a known-safe version or switch to an alternative.

References