npm · Malicious package advisory
Malwarechai-promised-test
MAL-2026-10052
Malicious code in chai-promised-test (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (1ddaac3e93ed2e5d968816cf3153b2ab1878580bb9ee65ec3ec1acdca41dc018)
Package masquerades as a chai-as-promised plugin / pino logger (README and exports copied from pino, including `module.exports.pino = middleware`) but on use spawns a detached Node process running lib/caller.js, which fetches a string from https://jsonkeeper.com/b/EXSIF and executes it via `new Function.constructor("require", s)(require)`. The fetched code runs with full Node privileges (require, fs, child_process, network). The C2 URL and request headers are concealed by shadowing the local `process` object with fields named `DEV_API_KEY` / `DEV_SECRET_KEY` / `DEV_SECRET_VALUE`, and lib/const.js carries base64-encoded equivalents that decode to a second jsonkeeper.com paste and the header name `x-secret-key`. The remote paste is mutable and attacker-controlled, allowing arbitrary code execution on the installer's machine. Identity confusion with chai-as-promised / pino indicates the package exists to be installed by mistake.
Compromised versions (1)
- 1.3.5
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.