VYPR

npm · Malicious package advisory

Malware

chain-js-utils

MAL-2026-10408

Malicious code in chain-js-utils (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1a928356b1418a88bc30f460c42b1d9f3050ca3e67deb674307269a8c752d1d8)
The package impersonates pino (ships pino's docs and headers, exports a `pino` alias) but its actual runtime is an Express middleware factory in file.js that spawns a detached `node lib/vcall.js` child on each invocation. lib/vcall.js issues an HTTPS GET to https://api.jsonsilo.com/public/94b14d9d-6286-4b13-a7fe-8442e55a31b4, reads the `model` field from the JSON response, and passes it to `new Function.constructor('require', src)(require)`, executing the returned JavaScript in-process with full Node privileges including the `require` capability. Retries up to five times. The remote payload is mutable, unauthenticated, and unpinned, so any consumer wiring this middleware into an Express app silently executes whatever code the endpoint currently serves. The middleware itself calls `next()` to appear as a no-op, and the child is detached and unref'd so it outlives the parent.

Compromised versions (1)

  • 2.1.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.