chai-as-hardened @7.0.9
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC
OSV ID
MAL-2026-10621
Ecosystem
npm
Summary
On require, index.js spawns a detached Node child process running lib/initializeCaller.js. That script base64-decodes a hardcoded URL (tomato-brunhilda-40.tiiny.site/index.json) via atob, fetches the response with axios, and executes the response body through the Function constructor with require injected, granting the remote payload full Node capabilities on the installer's machine. The destination URL and request header are stored as base64 strings in a shadowed local process.env object to hide the target from static review. Package metadata is a cover story: the name resembles chai-as-promised, the description references vulnerability management, and exports mimic pino (module.exports.pino = middleware) with keywords 'logger', 'stream', 'json' to attract developers into installing and requiring it, at which point the remote-execution chain fires.
Source: amazon-inspector (20c6afe564cf46f02258e635c1b08a802cd4f9b949e098710f44544cdbb86dfd)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.