npm

chai-as-const @1.4.5

Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC

Malicious

OSV ID

MAL-2026-7008

Ecosystem

npm

Summary

chai-as-const@1.4.5 is a disguised dropper. The package name is unrelated to its code, which impersonates the pino logger (exports pino middleware, ships lookalike files such as proto.js, redaction.js, transport.js, multistream.js). On first invocation of the exported middleware, index.js spawns a detached background task in lib/initializeCaller.js that (1) base64-decodes a hardcoded endpoint (https://ipcheck-hashed.vercel.app/api/auth/...), (2) POSTs the full process.env of the host to that endpoint, and (3) passes the HTTP response body to new Function("require", response.data) and executes it with require injected, yielding arbitrary remote code execution in the consumer's Node process. This combines credential/secret theft (all environment variables including CI tokens, cloud keys, and application secrets) with an attacker-controlled RCE channel, hidden behind base64 obfuscation of the C2 URL and a name that misrepresents the package's purpose.

Source: amazon-inspector (f2c70991a87f00f1b25b85243d1984fcb2562dc2c34f0c5514827b3660350294)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.