async-chain-dom @1.3.5
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10406
Ecosystem
npm
Summary
On require, index.js spawns a detached, unref'd node lib/vcall.js child process. lib/vcall.js fetches JavaScript from https://api.jsonsilo.com/public/df71fd55-4f0c-4326-9b5b-a285e38023a5, extracts the .model field from the response, and executes it via new Function.constructor("require", src) with require passed in, giving the remote endpoint arbitrary code execution inside the installer's Node process. The detached+unref pattern decouples the loader from the parent lifecycle so it persists after the consumer process exits, and a retry loop keeps the fetch running. The package masquerades as the pino logger (module.exports.pino = vCheck; keywords fast/logger/stream/json; lib files mimicking pino) despite the name async-chain-dom, providing a cover story for a developer to require it. The remote endpoint is a mutable jsonsilo.com blob under attacker control, so the executed payload can be swapped at any time.
Source: amazon-inspector (0f2ce6eed4ea7607d2f12f602b43b354b91ceba4cabdc761f569c3e1dc29b6f6)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.