npm · Malicious package advisory
Malwarechai-as-thread
MAL-2026-10048
Malicious code in chai-as-thread (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (d69f1826d6866410cdfe11e20cff630d3f0118d48c0cc9f697297aa64d29b341)
On require, the package spawns a detached node child that runs lib/initializeCaller.js. That script decodes a base64-obscured URL (https://tomato-brunhilda-40.tiiny.site/index.json) and base64-obscured header credentials, fetches JSON from the endpoint via axios, and executes the returned `cookie` field with full `require` access using `new Function.constructor("require", response)(require)`. The remote host is an anonymous tiiny.site subdomain that can serve arbitrary code at any time. The package name mimics `chai-as-promised` and the README impersonates the `pino` logger project, indicating a typosquat lure delivering a remote-code-execution dropper.
Compromised versions (1)
- 7.0.8
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.