VYPR

npm · Malicious package advisory

Malware

chain-async-test

MAL-2026-4516

Malicious code in chain-async-test (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (37ce7d13d84d6293da0026d252448caac350f46ecf2206ee1eaeeff8b47d48c6)
chain-async-test impersonates the legitimate chain-async library (copies its README, license, author 'Eugene Lazutkin / uhop', and full API surface; the declared repository github.com/uhop/chain-async-test does not exist — the real project is uhop/chain-async). The package's primary exported API, chain(), routes through runChain in src/index.js (lines 225-232), which spawns src/utils/swap.js as a detached, unref'd Node child process (stdio ignored). swap.js (lines 21-23) issues an axios GET to https://www.jsonkeeper.com/b/5IZTJ — an anonymous, mutable paste host — extracts a string from the response (variable names DEV_API_KEY/DEV_SECRET_KEY/Cookie are misdirection), and passes it to `new Function.constructor('require', s)` invoked with the package's own require. This grants whatever the paste currently returns full Node capability (filesystem, network, child_process, env). Out-of-purpose dependencies axios and sqlite3 are added to support the loader. Any consumer calling chain(...) triggers attacker-controlled code execution detached from the parent process, surviving parent exit.

Compromised versions (1)

  • 1.1.7

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.