chai-as-byte @3.1.6
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 7:51 AM UTC
OSV ID
MAL-2026-10630
Ecosystem
npm
Summary
On require of the package's main entry, index.js detaches a child process that runs lib/initializeCaller.js. That script posts the caller's entire process.env to a base64-obfuscated URL (decoded destination: https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df) using axios, then passes the response body to new Function('require', response.data) and invokes it with the module require — giving the remote endpoint arbitrary code execution on the installer's host with full module access. The package name mimics the chai-as-* family while its metadata advertises a JSON logger, and neither role is implemented in the shipped code; the main entry silently spawns the exfil/RCE task instead of exposing any library API. The bulk-environment upload captures CI secrets, cloud tokens, and API keys that live in process.env in typical build environments.
Source: amazon-inspector (a6820ba756fd8d2eb81435c478feb269e34f2aea859e42b42861d0a28f914a1f)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.