npm · Malicious package advisory
Malwarechai-await-dom
MAL-2026-10049
Malicious code in chai-await-dom (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (e78d8b4da2e781df4437569123ba3913c3f0135bbef66addaa5766a109fdd98b)
The package impersonates a pino-style logger API but its exported middleware spawns a detached Node child process that runs lib/caller.js. caller.js retrieves a JavaScript payload from https://jsonkeeper.com/b/BPB86 (an anonymous paste-style host) and executes it in-process via `new Function.constructor('require', s)(require)`, granting the remote host arbitrary code execution with the installer's Node privileges. lib/const.js stores a base64-encoded sibling URL (https://jsonkeeper.com/b/ZK45J decoded from `aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1pLNDVK`), deliberately obfuscating the C2 destination. The package name (chai-await-dom) does not match its actual behavior or its impersonated logger API surface, consistent with a namespace-abuse lure carrying a remote-code-execution payload.
Compromised versions (1)
- 1.3.7
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.