npm

chai-as-balanced @2.2.3

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10040

Ecosystem

npm

Summary

chai-as-balanced is a typosquat of chai-as-promised (also impersonating pino via README/badges/exports) that ships a remote code execution dropper. lib/const.js defines a fake process.env object whose DEV_API_KEY value is a base64-encoded URL to api.jsonstorage.net (an anonymous, attacker-mutable JSON storage service). lib/caller.js base64-decodes that URL, GETs the JSON blob using an obfuscated x-secret-key header, extracts the cookie field, and executes it via new Function.constructor('require', s)(require) — granting the fetched payload full Node privileges and access to the real require . index.js triggers this by spawning lib/caller.js as a detached, stdio-ignored child with child.unref() , so the dropper runs in the background and outlives the parent invocation, concealing execution from the caller. Because the payload source is anonymous and mutable, the executed code can change at any time without a new package release. Installers who mistype chai-as-promised as chai-as-balanced and invoke the exported middleware receive arbitrary attacker-controlled code execution.

Source: amazon-inspector (562ae39db73c30faea0a6d84cda0fe0b68d60d7bfa863f769edcdb620e30b0a1)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.