VYPR

npm · Malicious package advisory

Malware

chai-as-doc

MAL-2026-10175

Malicious code in chai-as-doc (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cecfd3091225b3667317dd9da8fd56c4f5e7fc675e17d52cda601898b3a50ec2)
The package presents itself as pino-style logging middleware but on require() spawns a detached Node child that runs lib/initializeCaller.js. That script base64-decodes a hardcoded URL (stored as a fake DEV_API_KEY constant) resolving to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df, POSTs the entire process.env object to it with an x-secret-header, and then passes the HTTP response body to `new Function("require", response.data)` and invokes it with the local require. This gives the remote host arbitrary code execution inside the installer's Node process with full environment/credential access. The base64 obfuscation of the endpoint, the disguised middleware cover story, and the name resembling chai/chai-as-promised are consistent with a typosquat supply-chain attack.

Compromised versions (1)

  • 2.3.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.