npm · Malicious package advisory
Malwarechai-val
MAL-2026-4515
Malicious code in chai-val (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (515e313c5420dfe9edcb88d61079fa80dbf3539da465572fde5ece42ba6ed748)
The package masquerades as a pino-logger helper (file structure, exports, and keywords are copied from pino) but its main entry exports a middleware that spawns `node lib/caller.js` as a detached child process. caller.js performs an HTTP GET to https://jsonkeeper.com/b/XRGF3 and passes the response's `.cookie` field directly into `new Function.constructor('require', s)`, invoking it with the host's `require` — granting the fetched script full Node.js capabilities (filesystem, network, child_process, env). The destination URL is additionally stored base64-encoded as `DEV_API_KEY: "aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1hSR0Yz"`, an obfuscation of the same C2 endpoint. jsonkeeper.com is an anonymous, mutable paste host: today's content can be replaced by the operator at any moment without republishing the npm package. Any developer who installs chai-val and invokes the advertised middleware export triggers arbitrary remote code execution under their Node process.
Compromised versions (1)
- 1.1.9
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.