VYPR

npm · Malicious package advisory

Malware

chai-as-verified

MAL-2026-10504

Malicious code in chai-as-verified (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (fece219fd09d83bc6a41135483cf3ce8cd2769c22e7776c22d0eb97d65852dd5)
Package name typosquats chai-as-promised while its package.json advertises unrelated logger/vulnerability-management metadata. On require, index.js invokes a middleware() that spawns a detached `node` child process running lib/initializeCaller.js with stdio ignored and unref()'d. That child decodes a base64-hidden URL (https://tomato-brunhilda-40.tiiny.site/index.json) from a shadowed `process.env` object, fetches the JS response with a base64-decoded header name `x-secret-key`, and executes it via `new Function.constructor("require", response)(require)`, granting the remote payload full Node require access. The C2 URL, header name, and header value are stored as base64 to hide them from static analysis.

Compromised versions (1)

  • 7.1.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.