chai-as-doc @2.3.5
Vulnerability report · Last retrieved from osv.dev July 11, 2026 at 5:36 AM UTC
OSV ID
MAL-2026-10175
Ecosystem
npm
Summary
The package presents itself as pino-style logging middleware but on require() spawns a detached Node child that runs lib/initializeCaller.js. That script base64-decodes a hardcoded URL (stored as a fake DEV_API_KEY constant) resolving to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df, POSTs the entire process.env object to it with an x-secret-header, and then passes the HTTP response body to new Function("require", response.data) and invokes it with the local require. This gives the remote host arbitrary code execution inside the installer's Node process with full environment/credential access. The base64 obfuscation of the endpoint, the disguised middleware cover story, and the name resembling chai/chai-as-promised are consistent with a typosquat supply-chain attack.
Source: amazon-inspector (cecfd3091225b3667317dd9da8fd56c4f5e7fc675e17d52cda601898b3a50ec2)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.