{"id":"MAL-2026-10219","summary":"Malicious code in chai-as-precision (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f8b5d1218fae5d91755d8f9ca8ed37983e7d589c6fd88012d3ddb29a84a2cc56)\nPackage is published as `chai-as-precision` but its shipped code mimics `pino` (exports `middleware.pino`, ships `pino.js`/`proto.js`/`redaction.js`), a name/purpose mismatch consistent with typosquatting or masquerade for transitive installation. When the exported middleware is invoked, `index.js` spawns `node lib/initializeCaller.js` with `detached: true`, `stdio: 'ignore'`, and `child.unref()`, decoupling the child from the parent and suppressing output. `lib/initializeCaller.js` shadows `process` with a local object whose `DEV_API_KEY` is a base64 blob decoding to `https://tomato-brunhilda-40.tiiny.site/index.json`, GETs that URL, and executes the returned `cookie` field via `new Function.constructor('require', response)(require)` — arbitrary attacker-controlled JavaScript is executed with full `require` access on the host running the middleware. The destination is an anonymous tiiny.site host unrelated to any documented purpose, the URL and custom auth header are base64-hidden behind a fake env-var wrapper, and the executed content is mutable and controlled by whoever owns the tiiny.site page.\n","modified":"2026-07-13T05:01:59.934343203Z","published":"2026-07-13T04:16:07Z","database_specific":{"malicious-packages-origins":[{"source":"amazon-inspector","modified_time":"2026-07-13T04:16:07Z","sha256":"f8b5d1218fae5d91755d8f9ca8ed37983e7d589c6fd88012d3ddb29a84a2cc56","id":"IN-MAL-2026-009791","import_time":"2026-07-13T04:43:12.803008019Z","versions":["7.0.6"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-as-precision/v/7.0.6"}],"affected":[{"package":{"name":"chai-as-precision","ecosystem":"npm","purl":"pkg:npm/chai-as-precision"},"versions":["7.0.6"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-precision/MAL-2026-10219.json","indicators":{"package_integrity":[{"filename":"chai-as-precision-7.0.6.tgz","hashes":{"sha512_sri":"sha512-czuo+QDm8qSMstomCrmn53KtrOg1udhLk/V0jGnPIvGMwGouX1QqVY2NrFVWUibqpg+UwT66oxQh2wYCXUWKuQ==","sha1":"73f07084423eb5fa5fb0ac8ecc504ee2b3791005"}}],"evidence_files":[{"sha256":"23436f977c9bbe6d302f0f94e191b3dfd938e5a0417ec098d38b60b0ed0cb14f","path":"lib/initializeCaller.js","tlsh":"9511c08e61fc200c046512e6b62f18126021e8673d86d5e47acc835b1f9567f7d936df"},{"sha256":"95a5e69b4d84d1f04654008f2cf649b8b5a80b1e49fca038a8f305076d166d82","path":"package.json","tlsh":"35019c20de788e2300ed25825c2a0643b6719c179928fd1932d7512c0f9e4bf05bf21d"},{"sha256":"1f51184c197102444a2c8a23e4a8e54a6479750420512922fcb5d5f795c33911","path":"index.js","tlsh":"0f318545b5f21259126d98c4f6b4a5263cdf9437331b76b1cded93952bce2080032bc7"}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}