npm

chai-as-byte @3.1.6

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 7:51 AM UTC

Malicious

OSV ID

MAL-2026-10630

Ecosystem

npm

Summary

On require of the package's main entry, index.js detaches a child process that runs lib/initializeCaller.js. That script posts the caller's entire process.env to a base64-obfuscated URL (decoded destination: https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df) using axios, then passes the response body to new Function('require', response.data) and invokes it with the module require — giving the remote endpoint arbitrary code execution on the installer's host with full module access. The package name mimics the chai-as-* family while its metadata advertises a JSON logger, and neither role is implemented in the shipped code; the main entry silently spawns the exfil/RCE task instead of exposing any library API. The bulk-environment upload captures CI secrets, cloud tokens, and API keys that live in process.env in typical build environments.

Source: amazon-inspector (a6820ba756fd8d2eb81435c478feb269e34f2aea859e42b42861d0a28f914a1f)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.