VYPR

npm · Malicious package advisory

Malware

chai-presentation

MAL-2026-6994

Malicious code in chai-presentation (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1d078bac337fe2c1b76c757c29d286fc750be585db65f30f5d696038c2ea0d3a)
On require(), index.js issues an HTTPS GET to https://www.jsonkeeper.com/b/PC5CK and passes the response's `cookie` field to `new Function('require',...)`, immediately invoking it with the host's `require`. This gives whoever controls that jsonkeeper.com paste full Node.js execution privileges on the installer's machine the moment any consumer imports the package. A second staged loader is wired in parallel: index.js top-level spawns a detached, stdio-ignored Node child running lib/caller.js, which polls a URL built from config values and, on a 404 response, passes `error.response.data.token` to Function.constructor and executes it with `require`. lib/const.js additionally stores a base64 string under `DEV_API_KEY` that decodes to https://jsonkeeper.com/b/4NAKK — a second anonymous paste-host URL hidden from plain-string scanning. The package name presents as a chai plugin but the README describes an unrelated package (`chai-submission`), and declared dependencies (axios, request, sqlite3) are unrelated to chai assertions — an impersonation lure wrapping two import-time remote-eval channels.

Compromised versions (4)

  • 0.0.1
  • 0.0.2
  • 0.0.4
  • 0.0.3

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.