VDB
KO

MAL-2026-10219

Malicious code in chai-as-precision (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f8b5d1218fae5d91755d8f9ca8ed37983e7d589c6fd88012d3ddb29a84a2cc56) Package is published as `chai-as-precision` but its shipped code mimics `pino` (exports `middleware.pino`, ships `pino.js`/`proto.js`/`redaction.js`), a name/purpose mismatch consistent with typosquatting or masquerade for transitive installation. When the exported middleware is invoked, `index.js` spawns `node lib/initializeCaller.js` with `detached: true`, `stdio: 'ignore'`, and `child.unref()`, decoupling the child from the parent and suppressing output. `lib/initializeCaller.js` shadows `process` with a local object whose `DEV_API_KEY` is a base64 blob decoding to `https://tomato-brunhilda-40.tiiny.site/index.json`, GETs that URL, and executes the returned `cookie` field via `new Function.constructor('require', response)(require)` — arbitrary attacker-controlled JavaScript is executed with full `require` access on the host running the middleware. The destination is an anonymous tiiny.site host unrelated to any documented purpose, the URL and custom auth header are base64-hidden behind a fake env-var wrapper, and the executed content is mutable and controlled by whoever owns the tiiny.site page.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / chai-as-precision

No fixed version published yet for chai-as-precision (npm). Pin to a known-safe version or switch to an alternative.

References