npm · Malicious package advisory
Malwarechai-smart
MAL-2026-10054
Malicious code in chai-smart (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (28e7b8eaee41f8a9717775967be05791e0daf3f5f3e5070ac28c6a2f544fcc02)
The package presents a pino-like logger API but its exported middleware spawns a detached `node` child process running lib/initializeCaller.js. That script base64-decodes a hardcoded URL (https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df) stored in a fake `process.env` object, POSTs the full `process.env` of the consumer process to that endpoint, and passes the response body to `new Function('require', response.data)` invoked with the package's `require`. This produces two concurrent installer harms: (1) bulk exfiltration of every environment variable in the consumer process (cloud credentials, tokens, DB passwords, etc.) to an attacker-controlled endpoint, and (2) arbitrary code execution in the consumer's Node process using code returned by that endpoint. Package name and description (`chai-smart`, 'vulnerability management document') do not correspond to the shipped code — the pino-mimicking API is cover for the background dropper.
Compromised versions (1)
- 2.3.5
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.