chai-as-disarmed @3.2.3
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10042
Ecosystem
npm
Summary
Package name typosquats chai-as-promised while the README and keywords impersonate pino to bait installs. On require() , index.js detach-spawns lib/caller.js , which decodes a base64-stored URL to https://api.jsonstorage.net/v1/json/2ef8c758-.../a179ea35-... , issues an authenticated GET (header name and value are also base64-hidden inside a local object that shadows process.env ), and executes the returned .cookie string via new Function.constructor('require', s)(require) — granting the remote operator arbitrary code execution in the installer's Node.js process with full require access. The fetch retries up to 5 times. The remote content sits in a mutable third-party JSON store, so the executed payload can be swapped at any time without republishing the package. None of this behavior corresponds to the advertised chai/pino functionality.
Source: amazon-inspector (b6d396201a3dd1706d97f7daa880f254c920bbea65ea6b013ed48f78a21a0241)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.