npm

chai-as-modified @6.0.4

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10043

Ecosystem

npm

Summary

Package name is a 1-2 character variant of the widely-used chai-as-promised plugin. The exported function — the entry point users pass to chai.use(...) per the copied pino README — invokes a runBackgroundTask helper that spawns a detached node subprocess ( detached: true , stdio: 'ignore' , child.unref() ) running a sibling ./lib/initializeCaller.js , then returns a no-op pass-through middleware. The detached, unref'd child is decoupled from the parent test runner and outlives it — an out-of-band execution channel that has no relationship to the advertised purpose of a chai assertion plugin. The lib/ directory ships a verbatim copy of unrelated pino source as decoy content, and the README is copied from pinojs/pino. In this specific tarball the referenced ./lib/initializeCaller.js file is not present, so the fork currently errors out, but the launcher stub, name-confusion vector, decoy content, and covert-execution mechanism are all in place; the missing payload is consistent with a staged release or intended delivery via a sibling/subsequent publish.

Source: amazon-inspector (ab841cd3ab01bfcd1257a214489b41f10e236779e236a0672642777160245a9e)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.