npm · Malicious package advisory
Malwarechai-as-serialized
MAL-2026-10044
Malicious code in chai-as-serialized (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (30e48e8980927471640c6573406d988d1a4361759f14a952da36c5daa1c9fd3c)
The package's main entry (index.js) spawns a detached `node` child process running lib/initializeCaller.js as a side effect of invoking the exported middleware factory. lib/initializeCaller.js constructs a fake `process.env` object whose fields hold base64 blobs; DEV_API_KEY decodes to https://tomato-brunhilda-40.tiiny.site/index.json and DEV_SECRET_KEY/DEV_SECRET_VALUE decode to an `x-secret-key` request header. The script fetches the JSON body from that anonymous host and executes it via `new Function.constructor("require", response)(require)`, granting the remote host arbitrary code execution with `require` access in the installer/consumer's Node process. The package name mimics `chai-as-promised` and the README is copied from `pino` (pino badges, pino narrative, keywords `fast,logger,stream,json`), while the shipped code has no relation to either — the impersonation is a lure to attract installs to a remote-code-execution dropper. Base64-encoding of the C2 URL and header, disguised as environment-variable configuration, confirms hostile intent.
Compromised versions (1)
- 7.0.8
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.