npm · Malicious package advisory
Malwarechai-as-synced
MAL-2026-6497
Malicious code in chai-as-synced (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (7bc0ee3e6a8341e046b84880f9faf0a4750f4a261a791b95d1267066d7828071) Package name 'chai-as-synced' impersonates the well-known 'chai-as-promised'. On require, index.js spawns a detached, stdio-ignored Node child running lib/initializeCaller.js. That script decodes a base64-obfuscated URL (https://amethyst-lorrin-26.tiiny.site/index.json) and an 'x-secret-key' header literal stored inside a fake local process.env object, performs an HTTPS GET to that anonymous static-hosting endpoint, and passes the returned 'cookie' field to new Function.constructor(...) invoked with require injected, retried up to 5 times. The fetched JavaScript runs in the installer's Node process with full require access. The destination obfuscation, detached/unref'd child, and hidden stdio together indicate a covert loader; the declared dependencies (sqlite3, request, axios) and package keywords do not match the advertised purpose.
Compromised versions (1)
- 6.0.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.