{"id":"MAL-2026-7008","summary":"Malicious code in chai-as-const (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f2c70991a87f00f1b25b85243d1984fcb2562dc2c34f0c5514827b3660350294)\nchai-as-const@1.4.5 is a disguised dropper. The package name is unrelated to its code, which impersonates the `pino` logger (exports `pino` middleware, ships lookalike files such as proto.js, redaction.js, transport.js, multistream.js). On first invocation of the exported middleware, index.js spawns a detached background task in lib/initializeCaller.js that (1) base64-decodes a hardcoded endpoint (https://ipcheck-hashed.vercel.app/api/auth/...), (2) POSTs the full process.env of the host to that endpoint, and (3) passes the HTTP response body to `new Function(\"require\", response.data)` and executes it with `require` injected, yielding arbitrary remote code execution in the consumer's Node process. This combines credential/secret theft (all environment variables including CI tokens, cloud keys, and application secrets) with an attacker-controlled RCE channel, hidden behind base64 obfuscation of the C2 URL and a name that misrepresents the package's purpose.\n","modified":"2026-07-08T17:46:44.895351141Z","published":"2026-07-08T17:30:45Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-08T17:40:19.766114169Z","sha256":"f2c70991a87f00f1b25b85243d1984fcb2562dc2c34f0c5514827b3660350294","modified_time":"2026-07-08T17:30:45Z","versions":["1.4.5"],"source":"amazon-inspector","id":"IN-MAL-2026-008170"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-as-const/v/1.4.5"}],"affected":[{"package":{"name":"chai-as-const","ecosystem":"npm","purl":"pkg:npm/chai-as-const"},"versions":["1.4.5"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-const/MAL-2026-7008.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-z4rAyWeHd9hq5pwdfVlrwSQgdbumLMbIi2ykrntPIVW8nNUjjz/Cho2Cw1kOoyfgV7XvJ42QqrvW7MSl/Oo2ng==","sha1":"68eb7bc8361e2c6f070d012cb7318f85551b47ed"},"filename":"chai-as-const-1.4.5.tgz"}],"evidence_files":[{"sha256":"266ef59f0542299b456e1d925e6c2c7f8db3b184ea9ca71e36bc037001a6d4f6","tlsh":"51f0874d34b61036426e58e1bb1b54565403f56137c0d855f2cd536b0f4ed4df6636d4","path":"lib/initializeCaller.js"},{"sha256":"1f51184c197102444a2c8a23e4a8e54a6479750420512922fcb5d5f795c33911","tlsh":"0f318545b5f21259126d98c4f6b4a5263cdf9437331b76b1cded93952bce2080032bc7","path":"index.js"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}