VDB
KO

MAL-2026-7008

Malicious code in chai-as-const (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f2c70991a87f00f1b25b85243d1984fcb2562dc2c34f0c5514827b3660350294) chai-as-const@1.4.5 is a disguised dropper. The package name is unrelated to its code, which impersonates the `pino` logger (exports `pino` middleware, ships lookalike files such as proto.js, redaction.js, transport.js, multistream.js). On first invocation of the exported middleware, index.js spawns a detached background task in lib/initializeCaller.js that (1) base64-decodes a hardcoded endpoint (https://ipcheck-hashed.vercel.app/api/auth/...), (2) POSTs the full process.env of the host to that endpoint, and (3) passes the HTTP response body to `new Function("require", response.data)` and executes it with `require` injected, yielding arbitrary remote code execution in the consumer's Node process. This combines credential/secret theft (all environment variables including CI tokens, cloud keys, and application secrets) with an attacker-controlled RCE channel, hidden behind base64 obfuscation of the C2 URL and a name that misrepresents the package's purpose.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / chai-as-const

No fixed version published yet for chai-as-const (npm). Pin to a known-safe version or switch to an alternative.

References