VYPR

npm · Malicious package advisory

Malware

chai-as-modified

MAL-2026-10043

Malicious code in chai-as-modified (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ab841cd3ab01bfcd1257a214489b41f10e236779e236a0672642777160245a9e)
Package name is a 1-2 character variant of the widely-used `chai-as-promised` plugin. The exported function — the entry point users pass to `chai.use(...)` per the copied pino README — invokes a `runBackgroundTask` helper that spawns a detached `node` subprocess (`detached: true`, `stdio: 'ignore'`, `child.unref()`) running a sibling `./lib/initializeCaller.js`, then returns a no-op pass-through middleware. The detached, unref'd child is decoupled from the parent test runner and outlives it — an out-of-band execution channel that has no relationship to the advertised purpose of a chai assertion plugin. The `lib/` directory ships a verbatim copy of unrelated pino source as decoy content, and the README is copied from pinojs/pino. In this specific tarball the referenced `./lib/initializeCaller.js` file is not present, so the fork currently errors out, but the launcher stub, name-confusion vector, decoy content, and covert-execution mechanism are all in place; the missing payload is consistent with a staged release or intended delivery via a sibling/subsequent publish.

Compromised versions (1)

  • 6.0.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.