npm · Malicious package advisory
Malwarechai-as-modified
MAL-2026-10043
Malicious code in chai-as-modified (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (ab841cd3ab01bfcd1257a214489b41f10e236779e236a0672642777160245a9e) Package name is a 1-2 character variant of the widely-used `chai-as-promised` plugin. The exported function — the entry point users pass to `chai.use(...)` per the copied pino README — invokes a `runBackgroundTask` helper that spawns a detached `node` subprocess (`detached: true`, `stdio: 'ignore'`, `child.unref()`) running a sibling `./lib/initializeCaller.js`, then returns a no-op pass-through middleware. The detached, unref'd child is decoupled from the parent test runner and outlives it — an out-of-band execution channel that has no relationship to the advertised purpose of a chai assertion plugin. The `lib/` directory ships a verbatim copy of unrelated pino source as decoy content, and the README is copied from pinojs/pino. In this specific tarball the referenced `./lib/initializeCaller.js` file is not present, so the fork currently errors out, but the launcher stub, name-confusion vector, decoy content, and covert-execution mechanism are all in place; the missing payload is consistent with a staged release or intended delivery via a sibling/subsequent publish.
Compromised versions (1)
- 6.0.4
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.