VYPR

npm · Malicious package advisory

Malware

chai-val

MAL-2026-4515

Malicious code in chai-val (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (515e313c5420dfe9edcb88d61079fa80dbf3539da465572fde5ece42ba6ed748)
The package masquerades as a pino-logger helper (file structure, exports, and keywords are copied from pino) but its main entry exports a middleware that spawns `node lib/caller.js` as a detached child process. caller.js performs an HTTP GET to https://jsonkeeper.com/b/XRGF3 and passes the response's `.cookie` field directly into `new Function.constructor('require', s)`, invoking it with the host's `require` — granting the fetched script full Node.js capabilities (filesystem, network, child_process, env). The destination URL is additionally stored base64-encoded as `DEV_API_KEY: "aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1hSR0Yz"`, an obfuscation of the same C2 endpoint. jsonkeeper.com is an anonymous, mutable paste host: today's content can be replaced by the operator at any moment without republishing the npm package. Any developer who installs chai-val and invokes the advertised middleware export triggers arbitrary remote code execution under their Node process.

Compromised versions (1)

  • 1.1.9

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.