VDB
KO

MAL-2026-10408

Malicious code in chain-js-utils (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1a928356b1418a88bc30f460c42b1d9f3050ca3e67deb674307269a8c752d1d8) The package impersonates pino (ships pino's docs and headers, exports a `pino` alias) but its actual runtime is an Express middleware factory in file.js that spawns a detached `node lib/vcall.js` child on each invocation. lib/vcall.js issues an HTTPS GET to https://api.jsonsilo.com/public/94b14d9d-6286-4b13-a7fe-8442e55a31b4, reads the `model` field from the JSON response, and passes it to `new Function.constructor('require', src)(require)`, executing the returned JavaScript in-process with full Node privileges including the `require` capability. Retries up to five times. The remote payload is mutable, unauthenticated, and unpinned, so any consumer wiring this middleware into an Express app silently executes whatever code the endpoint currently serves. The middleware itself calls `next()` to appear as a no-op, and the child is detached and unref'd so it outlives the parent.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / chain-js-utils

No fixed version published yet for chain-js-utils (npm). Pin to a known-safe version or switch to an alternative.

References