npm

chai-as-hardened @7.0.9

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2026-10621

Ecosystem

npm

Summary

On require, index.js spawns a detached Node child process running lib/initializeCaller.js. That script base64-decodes a hardcoded URL (tomato-brunhilda-40.tiiny.site/index.json) via atob, fetches the response with axios, and executes the response body through the Function constructor with require injected, granting the remote payload full Node capabilities on the installer's machine. The destination URL and request header are stored as base64 strings in a shadowed local process.env object to hide the target from static review. Package metadata is a cover story: the name resembles chai-as-promised, the description references vulnerability management, and exports mimic pino (module.exports.pino = middleware) with keywords 'logger', 'stream', 'json' to attract developers into installing and requiring it, at which point the remote-execution chain fires.

Source: amazon-inspector (20c6afe564cf46f02258e635c1b08a802cd4f9b949e098710f44544cdbb86dfd)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.