MAL-2026-10219
Malicious code in chai-as-precision (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (f8b5d1218fae5d91755d8f9ca8ed37983e7d589c6fd88012d3ddb29a84a2cc56) Package is published as `chai-as-precision` but its shipped code mimics `pino` (exports `middleware.pino`, ships `pino.js`/`proto.js`/`redaction.js`), a name/purpose mismatch consistent with typosquatting or masquerade for transitive installation. When the exported middleware is invoked, `index.js` spawns `node lib/initializeCaller.js` with `detached: true`, `stdio: 'ignore'`, and `child.unref()`, decoupling the child from the parent and suppressing output. `lib/initializeCaller.js` shadows `process` with a local object whose `DEV_API_KEY` is a base64 blob decoding to `https://tomato-brunhilda-40.tiiny.site/index.json`, GETs that URL, and executes the returned `cookie` field via `new Function.constructor('require', response)(require)` — arbitrary attacker-controlled JavaScript is executed with full `require` access on the host running the middleware. The destination is an anonymous tiiny.site host unrelated to any documented purpose, the URL and custom auth header are base64-hidden behind a fake env-var wrapper, and the executed content is mutable and controlled by whoever owns the tiiny.site page.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for chai-as-precision (npm). Pin to a known-safe version or switch to an alternative.