VYPR

npm · Malicious package advisory

Malware

chain-await-dom

MAL-2026-10202

Malicious code in chain-await-dom (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c7412987df7a746c9128ca807cbd2222b340e3b4f8397620348fc62606a0f2b5)
The package's declared main entry `index.js` exports a factory `check()` that spawns a detached, unreferenced Node child process running `lib/vcall.js`, then returns a noop Express-shaped middleware as cover. `lib/vcall.js` fetches JavaScript from `https://api.jsonsilo.com/public/c6c0b393-932f-4ae1-8fca-23c6747f4acc` (a mutable JSON-storage endpoint) and executes the response body via `new Function.constructor('require', src)(require)`, with up to 5 retries. `lib/constants.js` also stores a base64-encoded secondary endpoint `DEV_API_KEY` decoding to `https://jsonkeeper.com/b/ZK45J`, consistent with fallback/staged remote-execution infrastructure. The module additionally re-exports the factory as `module.exports.pino = check`, mimicking the `pino` logger API, while the package name (`chain-await-dom`) and README describe unrelated functionality. Any consumer that requires this package triggers arbitrary remote code execution with full Node privileges; the detached+unref child process persists beyond the parent.

Compromised versions (1)

  • 1.3.4

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.