chai-as-auth @2.3.5
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10518
Ecosystem
npm
Summary
lib/initializeCaller.js contains a self-executing IIFE that POSTs the entire process.env object to a hardcoded remote endpoint and then executes the HTTP response body via new Function("require", response.data)(require). The destination URL is base64-encoded and stashed on a fake local process.env object under the misleading key DEV_API_KEY ; decoded, it resolves to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df. The package name mimics legitimate authentication libraries while the shipped code is a repackaged pino tree combined with the stealer module. On require, environment variables (which routinely include AWS/GCP tokens, CI secrets, npm tokens, and database credentials) are shipped off-host and the remote server is handed arbitrary Node.js code execution with full require access for follow-on payloads.
Source: amazon-inspector (12dffbf180eff9ea18e21c9fc8c514912e95e40b3439fc43c3e3124b7ed189a3)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.