chai-as-buffered @3.7.24
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10041
Ecosystem
npm
Summary
chai-as-buffered@3.7.24 is a typosquat lure (name resembles chai-as-promised; README and module exports impersonate the pino logger) whose actual behavior is a remote-payload dropper. lib/caller.js shadows process with a local object whose env holds base64-encoded constants for the C2 URL, header name, and header value, hiding the destination from review and from env scanning. When the exported middleware is invoked (e.g., via chai.use(...) or require('chai-as-buffered') wiring through the pino-styled export), the package base64-decodes the hidden URL (https://api.jsonstorage.net/v1/json/2ef8c758-a96f-459e-b036-b3b90379a165/a179ea35-b962-4722-b3f1-e28316d1a44a), spawns a detached, stdio-ignored node./lib/caller.js child, fetches a JSON document from that mutable third-party blob, and passes the document's cookie field to Function.constructor('require', s) invoked with the live require . The fetched JavaScript executes with full require access on the installer's machine. The destination is an attacker-controlled mutable JSON store whose content can be changed at any time, giving the publisher arbitrary code execution against any environment that loads this package.
Source: amazon-inspector (3d136202d96267459c4bf3aaaf6c903d7bd2c491901b61dcf2f391a4612f951a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.