VYPR

npm · Malicious package advisory

Malware

chai-as-disarmed

MAL-2026-10042

Malicious code in chai-as-disarmed (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b6d396201a3dd1706d97f7daa880f254c920bbea65ea6b013ed48f78a21a0241)
Package name typosquats `chai-as-promised` while the README and keywords impersonate `pino` to bait installs. On `require()`, index.js detach-spawns `lib/caller.js`, which decodes a base64-stored URL to `https://api.jsonstorage.net/v1/json/2ef8c758-.../a179ea35-...`, issues an authenticated GET (header name and value are also base64-hidden inside a local object that shadows `process.env`), and executes the returned `.cookie` string via `new Function.constructor('require', s)(require)` — granting the remote operator arbitrary code execution in the installer's Node.js process with full `require` access. The fetch retries up to 5 times. The remote content sits in a mutable third-party JSON store, so the executed payload can be swapped at any time without republishing the package. None of this behavior corresponds to the advertised chai/pino functionality.

Compromised versions (1)

  • 3.2.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.