VYPR

npm · Malicious package advisory

Malware

chai-as-serialized

MAL-2026-10044

Malicious code in chai-as-serialized (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (30e48e8980927471640c6573406d988d1a4361759f14a952da36c5daa1c9fd3c)
The package's main entry (index.js) spawns a detached `node` child process running lib/initializeCaller.js as a side effect of invoking the exported middleware factory. lib/initializeCaller.js constructs a fake `process.env` object whose fields hold base64 blobs; DEV_API_KEY decodes to https://tomato-brunhilda-40.tiiny.site/index.json and DEV_SECRET_KEY/DEV_SECRET_VALUE decode to an `x-secret-key` request header. The script fetches the JSON body from that anonymous host and executes it via `new Function.constructor("require", response)(require)`, granting the remote host arbitrary code execution with `require` access in the installer/consumer's Node process. The package name mimics `chai-as-promised` and the README is copied from `pino` (pino badges, pino narrative, keywords `fast,logger,stream,json`), while the shipped code has no relation to either — the impersonation is a lure to attract installs to a remote-code-execution dropper. Base64-encoding of the C2 URL and header, disguised as environment-variable configuration, confirms hostile intent.

Compromised versions (1)

  • 7.0.8

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.