{"id":"MAL-2026-10175","summary":"Malicious code in chai-as-doc (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (cecfd3091225b3667317dd9da8fd56c4f5e7fc675e17d52cda601898b3a50ec2)\nThe package presents itself as pino-style logging middleware but on require() spawns a detached Node child that runs lib/initializeCaller.js. That script base64-decodes a hardcoded URL (stored as a fake DEV_API_KEY constant) resolving to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df, POSTs the entire process.env object to it with an x-secret-header, and then passes the HTTP response body to `new Function(\"require\", response.data)` and invokes it with the local require. This gives the remote host arbitrary code execution inside the installer's Node process with full environment/credential access. The base64 obfuscation of the endpoint, the disguised middleware cover story, and the name resembling chai/chai-as-promised are consistent with a typosquat supply-chain attack.\n","modified":"2026-07-10T21:31:48.961448218Z","published":"2026-07-10T21:24:50Z","database_specific":{"malicious-packages-origins":[{"sha256":"cecfd3091225b3667317dd9da8fd56c4f5e7fc675e17d52cda601898b3a50ec2","import_time":"2026-07-10T21:26:06.007803703Z","source":"amazon-inspector","id":"IN-MAL-2026-009714","versions":["2.3.5"],"modified_time":"2026-07-10T21:24:50Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-as-doc/v/2.3.5"}],"affected":[{"package":{"name":"chai-as-doc","ecosystem":"npm","purl":"pkg:npm/chai-as-doc"},"versions":["2.3.5"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-doc/MAL-2026-10175.json","indicators":{"package_integrity":[{"filename":"chai-as-doc-2.3.5.tgz","hashes":{"sha512_sri":"sha512-mn+k+zE6L5wdiEpurZCLNXuBEwiJdgozfMwqe+9pnoeS4HGjnMMCfFxT2HGKrXiAV13WCU9rANeJShKIXv4EhA==","sha1":"2ff81e9aa495165d5a93b34d754ea5d4b50ea698"}}],"evidence_files":[{"sha256":"fc61b0ed62e346bfbb5e1e093e475d8b3065247dc8d315f0ea4e7cafd9661bad","path":"lib/initializeCaller.js","tlsh":"f921f38e15fe101d066751e6bb2f24027022e8133946d4a47bcc835b1fc966e99936df"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}