npm

async-chain-dom @1.3.5

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10406

Ecosystem

npm

Summary

On require, index.js spawns a detached, unref'd node lib/vcall.js child process. lib/vcall.js fetches JavaScript from https://api.jsonsilo.com/public/df71fd55-4f0c-4326-9b5b-a285e38023a5, extracts the .model field from the response, and executes it via new Function.constructor("require", src) with require passed in, giving the remote endpoint arbitrary code execution inside the installer's Node process. The detached+unref pattern decouples the loader from the parent lifecycle so it persists after the consumer process exits, and a retry loop keeps the fetch running. The package masquerades as the pino logger (module.exports.pino = vCheck; keywords fast/logger/stream/json; lib files mimicking pino) despite the name async-chain-dom, providing a cover story for a developer to require it. The remote endpoint is a mutable jsonsilo.com blob under attacker control, so the executed payload can be swapped at any time.

Source: amazon-inspector (0f2ce6eed4ea7607d2f12f602b43b354b91ceba4cabdc761f569c3e1dc29b6f6)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.