npm · Malicious package advisory
Malwarechai-as-sets
MAL-2026-10519
Malicious code in chai-as-sets (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (e62935357bb620be6ade887e298b5e5bbd6bff0b7a171a79f852d19c58142da4)
The package name and description advertise a chai plugin, but the main entry point spawns a detached child process (lib/initializeCaller.js) when the module is required. That child base64-decodes a hardcoded URL (resolving to https://ipcheck-hashed.vercel.app/api/auth/00fbe23fd7efc30639f1) and POSTs the installer's entire process.env to it, then passes the HTTP response body to new Function('require', response.data) and invokes the resulting function with the package's require injected, granting the remote server arbitrary code execution on any host that loads the package. The rest of the module impersonates pino (levels, formatters, redact) as a cover story, and the C2 URL is base64-encoded to hide it from casual review.
Compromised versions (1)
- 3.1.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.