npm · Malicious package advisory
Malwarechai-as-vite
MAL-2026-4514
Malicious code in chai-as-vite (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (b7096b7b983ae63f8e59f9e047440547c9536f6c4c9da0ac46909b91a9d4e10e)
The package masquerades as a pino-style logger (exports `module.exports.pino = middleware`, keywords `fast,logger,stream,json`, lib filenames `proto.js`, `redaction.js`, `multistream.js`, `transport.js`) under a name evoking chai/vite tooling. When a consumer requires the package and invokes the exported middleware, `lib/initializeCaller.js` is launched as a detached `node` child process. That script defines a local `process` shadow whose `env` holds base64 strings (DEV_API_KEY, DEV_SECRET_KEY, DEV_SECRET_VALUE), `atob`-decodes them to recover the URL `https://purple-kelila-79.tiiny.site/data.json` and the header `x-secret-key: _`, fetches the response via axios, then executes the response body with `new Function.constructor('require', response)(require)` — full arbitrary code execution with `require` access on the installer's machine, with retry. The destination is an anonymous, mutable tiiny.site host with no version pinning and no integrity check, so the operator can rotate the delivered payload at will. Base64-encoded URL and header values, the fake `process.env` shadow, and the detached child-process launch are intentional evasion.
Compromised versions (1)
- 2.3.5
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.