VYPR

npm · Malicious package advisory

Malware

chai-as-built

MAL-2026-6465

Malicious code in chai-as-built (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (469c5ebe97d1e69d080295000d723febbb06050f65aed9a0f44a76fd707c0b1e)
chai-as-built masquerades as the pino logger (package.json keywords 'fast','logger','stream','json'; file layout lib/proto.js, lib/redaction.js, lib/transport.js, lib/multistream.js, lib/levels.js; export `module.exports.pino = middleware`) while its name shadows the popular chai-as-promised. When a consumer imports the package and invokes the exported middleware, index.js spawns a detached `node` child process running lib/initializeCaller.js. That script base64-decodes a hardcoded URL (https://amethyst-lorrin-26.tiiny.site/index.json) hidden inside a fake `process.env` shadow object, GETs the JSON with a custom header, and passes the response's `cookie` field to `new Function.constructor('require', response)`, then invokes the resulting function with `require` — executing arbitrary attacker-supplied JavaScript with full Node privileges. The fetch is retried up to 5 times against a mutable anonymous tiiny.site host with no integrity check. The combination of typosquat/impersonation cover, base64 string concealment of the C2 endpoint, detached child-process execution, and dynamic Function-constructor evaluation of remote content is a textbook supply-chain dropper.

Compromised versions (1)

  • 6.0.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.