VYPR

npm · Malicious package advisory

Malware

chai-as-align

MAL-2026-10039

Malicious code in chai-as-align (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (791f5dcd4f623d5301bc3abf922c5f0e4ff716017fe67d3673c778e9d31b0776)
The package presents itself as a testing/logging helper but its exported middleware factory spawns a detached background Node child that runs lib/initializeCaller.js. That script base64-decodes a hidden URL (https://amethyst-lorrin-26.tiiny.site/index.json) from a fake process.env stub, fetches its 'cookie' field over HTTPS with an 'x-secret-key' header, and executes the returned body via `new Function.constructor('require', response)` bound to the real `require`, in a retry loop. This yields full remote code execution on the installer's machine whenever the exported middleware is invoked. The destination is an anonymous file-hosting service (tiiny.site) whose contents are attacker-mutable. The package name closely resembles the popular chai-as-promised library, and its declared description/keywords do not match the shipped code, indicating typosquat delivery of the dropper. The detached+unref'd child with stdio ignored is used to hide the payload's activity from the consuming application.

Compromised versions (1)

  • 7.1.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.