npm · Malicious package advisory
Malwareasync-chain-dom
MAL-2026-10406
Malicious code in async-chain-dom (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (0f2ce6eed4ea7607d2f12f602b43b354b91ceba4cabdc761f569c3e1dc29b6f6)
On require, index.js spawns a detached, unref'd `node lib/vcall.js` child process. lib/vcall.js fetches JavaScript from https://api.jsonsilo.com/public/df71fd55-4f0c-4326-9b5b-a285e38023a5, extracts the `.model` field from the response, and executes it via `new Function.constructor("require", src)` with `require` passed in, giving the remote endpoint arbitrary code execution inside the installer's Node process. The detached+unref pattern decouples the loader from the parent lifecycle so it persists after the consumer process exits, and a retry loop keeps the fetch running. The package masquerades as the pino logger (module.exports.pino = vCheck; keywords fast/logger/stream/json; lib files mimicking pino) despite the name async-chain-dom, providing a cover story for a developer to require it. The remote endpoint is a mutable jsonsilo.com blob under attacker control, so the executed payload can be swapped at any time.
Compromised versions (1)
- 1.3.5
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.