npm · Malicious package advisory
Malwarechai-as-buffered
MAL-2026-10041
Malicious code in chai-as-buffered (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (3d136202d96267459c4bf3aaaf6c903d7bd2c491901b61dcf2f391a4612f951a)
chai-as-buffered@3.7.24 is a typosquat lure (name resembles chai-as-promised; README and module exports impersonate the pino logger) whose actual behavior is a remote-payload dropper. lib/caller.js shadows `process` with a local object whose `env` holds base64-encoded constants for the C2 URL, header name, and header value, hiding the destination from review and from env scanning. When the exported middleware is invoked (e.g., via `chai.use(...)` or `require('chai-as-buffered')` wiring through the pino-styled export), the package base64-decodes the hidden URL (https://api.jsonstorage.net/v1/json/2ef8c758-a96f-459e-b036-b3b90379a165/a179ea35-b962-4722-b3f1-e28316d1a44a), spawns a detached, stdio-ignored `node./lib/caller.js` child, fetches a JSON document from that mutable third-party blob, and passes the document's `cookie` field to `Function.constructor('require', s)` invoked with the live `require`. The fetched JavaScript executes with full `require` access on the installer's machine. The destination is an attacker-controlled mutable JSON store whose content can be changed at any time, giving the publisher arbitrary code execution against any environment that loads this package.
Compromised versions (1)
- 3.7.24
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.