VYPR

npm · Malicious package advisory

Malware

chai-as-staged

MAL-2026-10047

Malicious code in chai-as-staged (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (84d908f9158abcdd631b569f812b06cb59a1788f2435dd05a47fd39021d60a49)
Package name impersonates the popular `chai-as-promised` testing library and the README is copied from `pino`. The advertised usage `chai.use(chaiAsStaged)` triggers a detached `node` child process that runs `lib/initializeCaller.js`. That file hides its C2 endpoint and a custom HTTP header name/value as base64 strings stored under decoy names (`DEV_API_KEY`, `DEV_SECRET_KEY`, `DEV_SECRET_VALUE`) inside a fake local `process` object; at runtime it base64-decodes the URL to `https://amethyst-lorrin-26.tiiny.site/index.json`, fetches it with the obfuscated header, extracts the `.cookie` field from the JSON response, and executes the returned JavaScript via `new Function.constructor('require', response)(require)` in a retry loop. Attacker-controlled code is therefore executed on the installer's machine with full `require` access whenever the library is used as documented. The combination of name/README impersonation, base64-obfuscated C2 on an anonymous static-hosting host, and dynamic code construction with `require` removes any benign interpretation.

Compromised versions (1)

  • 6.0.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.