npm · Malicious package advisory
Malwarechai-as-sharpened
MAL-2026-10045
Malicious code in chai-as-sharpened (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (854e8e5d81ba59ee1353535523ea62b29c07de8d6a5cc50745a471696d80576a)
On require, the package spawns a detached background `node` process running `lib/initializeCaller.js`. That script base64-decodes a hardcoded URL (https://tomato-brunhilda-40.tiiny.site/index.json), fetches JSON from it, and executes the returned `cookie` field through `new Function.constructor('require', response)(require)` — giving the remote payload full `require` access on the installer's host. The endpoint URL and request header key/value are hidden inside base64 strings assigned to a locally-shadowed `process.env` object and decoded via `atob()` at runtime, obfuscating the C2 destination. The package additionally impersonates two well-known libraries: the name `chai-as-sharpened` mimics `chai-as-promised`, and the README badges/links point to `pino` and `pinojs/pino`, using name confusion as the delivery vector. Import triggers unconditional RCE against any consumer.
Compromised versions (1)
- 7.0.9
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.