{"id":"MAL-2026-10056","summary":"Malicious code in chain-chai-await (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (53dc585524bcc3e64a107006ba8c763591b071bb174c7acadd716b6e99ac1c34)\nThe package presents itself as a pino-compatible logger (exports `pino`, mirrors pino's lib/ layout with proto.js/redaction.js/transport.js/multistream.js/levels.js/time.js/symbols.js, and copies pino's defaultOptions shape) but has no relationship to the real pino package. When a consumer requires the package and invokes the exported middleware factory, index.js spawns lib/caller.js as a detached Node subprocess. caller.js performs an axios GET to https://jsonkeeper.com/b/K80JD, reads the `cookie` field from the JSON response, and executes it via `new Function.constructor(\"require\", s)(require)` — arbitrary remote code execution in the consumer's Node process with full access to `require`. The fetch is retried up to 5 times. lib/const.js additionally stores a base64-encoded backup endpoint (aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1pLNDVK → https://jsonkeeper.com/b/ZK45J) and base64-encoded header key/value (`x-secret-key`, `_`) used by the loader. The pino cover story, mirrored file layout, obfuscated backup URL, and remote-fetch-and-execute primitive against a public paste-like host are the fingerprint of a dropper disguised as a logging library.\n","modified":"2026-07-09T16:31:55.055649095Z","published":"2026-07-09T15:32:40Z","database_specific":{"malicious-packages-origins":[{"versions":["1.3.6"],"sha256":"0b75f72f341a3e6ab70047551fd2ecad4fb8fe619395cab5017f95b124594ade","import_time":"2026-07-09T16:20:43.661324493Z","id":"IN-MAL-2026-009130","source":"amazon-inspector","modified_time":"2026-07-09T15:32:40Z"},{"versions":["1.3.7"],"sha256":"53dc585524bcc3e64a107006ba8c763591b071bb174c7acadd716b6e99ac1c34","id":"IN-MAL-2026-009131","import_time":"2026-07-09T16:20:43.732690893Z","source":"amazon-inspector","modified_time":"2026-07-09T15:32:49Z"},{"versions":["1.3.5"],"sha256":"8b950bcb8ad2c8f74739a2958be5c2b3121292e61c997fca332449a12dab2585","id":"IN-MAL-2026-009135","import_time":"2026-07-09T16:20:44.221809637Z","source":"amazon-inspector","modified_time":"2026-07-09T15:33:24Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chain-chai-await/v/1.3.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chain-chai-await/v/1.3.7"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chain-chai-await/v/1.3.5"}],"affected":[{"package":{"name":"chain-chai-await","ecosystem":"npm","purl":"pkg:npm/chain-chai-await"},"versions":["1.3.6","1.3.7","1.3.5"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"9ad00c36d71bda1d53a4a174c1f684e1ebf08119","sha512_sri":"sha512-YwA65VjZWzzWsjW/53bWbm6Ab6Hxs1+zFR6TDLsBROxzdFM/Pt3fPpKNW4zaJPpgyNhzJbLfflwFoD5LFLQsjA=="},"filename":"chain-chai-await-1.3.6.tgz"}],"evidence_files":[{"sha256":"102c4a9ea61e1c2c2b97b9f801fd75cd36e0cb6ae526f5b28b48f92f440c9265","tlsh":"aa019c4e30fd101c015111e66b1fa4327010e4573d0ad4d4374c87521faa5ae6a53ede","path":"lib/caller.js"},{"sha256":"32e82853dd646aac388b78f868241267a5e6483d847df3d4c843f8100590d469","tlsh":"30213f8175f111480658d9c8b569e5363ce3c4377207b9b0e9ecb7862bcf20c0272ad7","path":"index.js"},{"sha256":"9879ffb0bf61edef7e9b90ddc5fac9770c514c0cdecd9a07b15e8a677e6f8f74","tlsh":"8ac08c8351e4a89704301773610ca995f2a1d26f0c840b0331f594844a396a93840fbb","path":"lib/const.js"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chain-chai-await/MAL-2026-10056.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}