npm

chai-as-act @1.0.2

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2026-10607

Ecosystem

npm

Summary

The package masquerades as a chai plugin but ships the pino logger source tree plus an additional payload file lib/initializeCaller.js. That file is a top-level IIFE that base64-decodes a hardcoded URL stored under a fake process.env.DEV_API_KEY literal (decoding to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df), POSTs the entire process.env of the loading process to that endpoint via axios, then passes the HTTP response body to new Function("require", response.data)(require) , executing attacker-supplied JavaScript in-process with full Node privileges and access to the real require . Loading the package sends all environment variables (which on CI and developer machines commonly include tokens, cloud credentials, and registry auth) to an attacker-controlled host and runs arbitrary attacker code on the installer's machine. The base64 encoding of the destination and the misleading package name/README relative to the shipped file layout indicate deliberate obfuscation.

Source: amazon-inspector (bbf85a5e85f183a28cc32ff39ddcc68ef15b698cc62eccfaa89dd1bb80c709f6)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.