chai-as-align @7.1.0
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10039
Ecosystem
npm
Summary
The package presents itself as a testing/logging helper but its exported middleware factory spawns a detached background Node child that runs lib/initializeCaller.js. That script base64-decodes a hidden URL (https://amethyst-lorrin-26.tiiny.site/index.json) from a fake process.env stub, fetches its 'cookie' field over HTTPS with an 'x-secret-key' header, and executes the returned body via new Function.constructor('require', response) bound to the real require , in a retry loop. This yields full remote code execution on the installer's machine whenever the exported middleware is invoked. The destination is an anonymous file-hosting service (tiiny.site) whose contents are attacker-mutable. The package name closely resembles the popular chai-as-promised library, and its declared description/keywords do not match the shipped code, indicating typosquat delivery of the dropper. The detached+unref'd child with stdio ignored is used to hide the payload's activity from the consuming application.
Source: amazon-inspector (791f5dcd4f623d5301bc3abf922c5f0e4ff716017fe67d3673c778e9d31b0776)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.