{"id":"MAL-2026-10048","summary":"Malicious code in chai-as-thread (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (d69f1826d6866410cdfe11e20cff630d3f0118d48c0cc9f697297aa64d29b341)\nOn require, the package spawns a detached node child that runs lib/initializeCaller.js. That script decodes a base64-obscured URL (https://tomato-brunhilda-40.tiiny.site/index.json) and base64-obscured header credentials, fetches JSON from the endpoint via axios, and executes the returned `cookie` field with full `require` access using `new Function.constructor(\"require\", response)(require)`. The remote host is an anonymous tiiny.site subdomain that can serve arbitrary code at any time. The package name mimics `chai-as-promised` and the README impersonates the `pino` logger project, indicating a typosquat lure delivering a remote-code-execution dropper.\n","modified":"2026-07-09T16:31:53.240317499Z","published":"2026-07-09T15:32:23Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-009128","sha256":"d69f1826d6866410cdfe11e20cff630d3f0118d48c0cc9f697297aa64d29b341","import_time":"2026-07-09T16:20:43.428258373Z","modified_time":"2026-07-09T15:32:23Z","versions":["7.0.8"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-as-thread/v/7.0.8"}],"affected":[{"package":{"name":"chai-as-thread","ecosystem":"npm","purl":"pkg:npm/chai-as-thread"},"versions":["7.0.8"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-thread/MAL-2026-10048.json","indicators":{"evidence_files":[{"tlsh":"9511c08e61fc200c046512e6b62f18126021e8673d86d5e47acc835b1f9567f7d936df","path":"lib/initializeCaller.js","sha256":"23436f977c9bbe6d302f0f94e191b3dfd938e5a0417ec098d38b60b0ed0cb14f"},{"path":"package.json","tlsh":"bf019c60ce788e6300ed25824c2a064376629c135928fc1932d7512c0f9d5bf01bf21d","sha256":"16af2fc511eb38e81523fa6c576bed03d46148ea46a779e32863c892276b0d5d"}],"package_integrity":[{"filename":"chai-as-thread-7.0.8.tgz","hashes":{"sha1":"2470c0da0bbf88ee7b2e7ba5322f24983b05f118","sha512_sri":"sha512-6Rr8bVjZOkWGmlVtTM4Cu+719Bt9mGWEFWA4dGz8GRtOMxyDG1WnXDaEiwPsR/DIyjVHbd24LB46Q1fIEsijtQ=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}