VYPR

npm · Malicious package advisory

Malware

chai-as-auth

MAL-2026-10518

Malicious code in chai-as-auth (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (12dffbf180eff9ea18e21c9fc8c514912e95e40b3439fc43c3e3124b7ed189a3)
lib/initializeCaller.js contains a self-executing IIFE that POSTs the entire process.env object to a hardcoded remote endpoint and then executes the HTTP response body via new Function("require", response.data)(require). The destination URL is base64-encoded and stashed on a fake local `process.env` object under the misleading key `DEV_API_KEY`; decoded, it resolves to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df. The package name mimics legitimate authentication libraries while the shipped code is a repackaged pino tree combined with the stealer module. On require, environment variables (which routinely include AWS/GCP tokens, CI secrets, npm tokens, and database credentials) are shipped off-host and the remote server is handed arbitrary Node.js code execution with full `require` access for follow-on payloads.

Compromised versions (1)

  • 2.3.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.