VYPR

npm · Malicious package advisory

Malware

chai-as-victimed

MAL-2026-5605

Malicious code in chai-as-victimed (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4b60cf728d4e2f5932f37d3e420649f6facc08959a8380a4724ec9e885b88754)
Package name impersonates chai-as-promised but ships a remote-code dropper. lib/caller.js base64-decodes a hardcoded URL pointing to https://api.jsonstorage.net/v1/json/2ef8c758-a96f-459e-b036-b3b90379a165/a179ea35-b962-4722-b3f1-e28316d1a44a (an attacker-controlled mutable JSON store), issues a GET with a custom `x-secret-key: _` header, takes the response's `.cookie` field, and executes it via `new Function.constructor('require', s)(require)` — granting the fetched code full Node privileges and `require` access. The URL, header name, and header value are stored base64-encoded under fake keys (`DEV_API_KEY`, `DEV_SECRET_KEY`, `DEV_SECRET_VALUE`) on a shadow `process.env` object to evade string scans. index.js spawns `node lib/caller.js` detached from the package's default export, so any consumer that loads and invokes the advertised middleware triggers arbitrary remote code execution on the installer's machine, retried up to 5 times. The README/keywords cosplay a logger (pino) while the package name targets users looking for chai-as-promised — neither matches the actual behavior.

Compromised versions (1)

  • 6.1.21

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.