VDB
KO

MAL-2026-10621

Malicious code in chai-as-hardened (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (20c6afe564cf46f02258e635c1b08a802cd4f9b949e098710f44544cdbb86dfd) On require, index.js spawns a detached Node child process running lib/initializeCaller.js. That script base64-decodes a hardcoded URL (tomato-brunhilda-40.tiiny.site/index.json) via atob, fetches the response with axios, and executes the response body through the Function constructor with `require` injected, granting the remote payload full Node capabilities on the installer's machine. The destination URL and request header are stored as base64 strings in a shadowed local `process.env` object to hide the target from static review. Package metadata is a cover story: the name resembles chai-as-promised, the description references vulnerability management, and exports mimic pino (module.exports.pino = middleware) with keywords 'logger', 'stream', 'json' to attract developers into installing and requiring it, at which point the remote-execution chain fires.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / chai-as-hardened

No fixed version published yet for chai-as-hardened (npm). Pin to a known-safe version or switch to an alternative.

References