VDB
KO

MAL-2026-10202

Malicious code in chain-await-dom (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c7412987df7a746c9128ca807cbd2222b340e3b4f8397620348fc62606a0f2b5) The package's declared main entry `index.js` exports a factory `check()` that spawns a detached, unreferenced Node child process running `lib/vcall.js`, then returns a noop Express-shaped middleware as cover. `lib/vcall.js` fetches JavaScript from `https://api.jsonsilo.com/public/c6c0b393-932f-4ae1-8fca-23c6747f4acc` (a mutable JSON-storage endpoint) and executes the response body via `new Function.constructor('require', src)(require)`, with up to 5 retries. `lib/constants.js` also stores a base64-encoded secondary endpoint `DEV_API_KEY` decoding to `https://jsonkeeper.com/b/ZK45J`, consistent with fallback/staged remote-execution infrastructure. The module additionally re-exports the factory as `module.exports.pino = check`, mimicking the `pino` logger API, while the package name (`chain-await-dom`) and README describe unrelated functionality. Any consumer that requires this package triggers arbitrary remote code execution with full Node privileges; the detached+unref child process persists beyond the parent.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / chain-await-dom

No fixed version published yet for chain-await-dom (npm). Pin to a known-safe version or switch to an alternative.

References