chai-as-attested @6.0.3
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-6218
Ecosystem
npm
Summary
Package impersonates a pino-style logger (exports module.exports.pino , ships pino-like DEFAULT_LEVELS , keywords fast/logger/stream/json ) but the exported middleware spawns a detached node lib/initializeCaller.js that fetches a JSON document from a hardcoded free file-hosting URL (https://amethyst-lorrin-26.tiiny.site/index.json) and executes the cookie field of the response via new Function.constructor('require', response)(require) , granting the remote payload full Node require access. The endpoint URL and request headers are base64-encoded inside fake process.env -named constants and decoded at runtime with atob to evade scanners; the fetch is retried 5 times. Any consumer who imports the package and invokes the middleware (or runs the package's smoke script) executes attacker-controlled code on the host. The package name and pino-mimicking API surface are a lure — chai-as-attested has no relation to chai-as-promised or to pino.
Source: amazon-inspector (88e27467366a90f482eb47476458b1f74d5a41ac63371572e527f2e60e4e0b51)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.