VYPR

npm · Malicious package advisory

Malware

chai-as-forgeted

MAL-2026-6219

Malicious code in chai-as-forgeted (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b6b32b714919c755532ed3d2695d1966568c24878e9721a5d756896d81881020)
Package name impersonates the popular chai-as-promised assertion library, but its package.json description and keywords are copied from pino and the code is unrelated to chai. The package's main entry exports a middleware factory that spawns lib/caller.js as a detached node child process. lib/caller.js base64-decodes a hardcoded URL pointing at api.jsonstorage.net (a mutable third-party JSON storage service), GETs the JSON document, extracts the `cookie` field, and executes its contents via `new Function.constructor('require', s)(require)` with full access to `require`. The C2 URL and request headers are stored as base64 strings inside a locally redefined `process` object that shadows the real process global, then decoded with `atob` at runtime. Any consumer who installs and invokes the exported middleware triggers arbitrary attacker-controlled code execution; the attacker can rotate the payload served by the JSON storage endpoint at will.

Compromised versions (1)

  • 9.24.6

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.