chai-as-modified @6.0.4
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10043
Ecosystem
npm
Summary
Package name is a 1-2 character variant of the widely-used chai-as-promised plugin. The exported function — the entry point users pass to chai.use(...) per the copied pino README — invokes a runBackgroundTask helper that spawns a detached node subprocess ( detached: true , stdio: 'ignore' , child.unref() ) running a sibling ./lib/initializeCaller.js , then returns a no-op pass-through middleware. The detached, unref'd child is decoupled from the parent test runner and outlives it — an out-of-band execution channel that has no relationship to the advertised purpose of a chai assertion plugin. The lib/ directory ships a verbatim copy of unrelated pino source as decoy content, and the README is copied from pinojs/pino. In this specific tarball the referenced ./lib/initializeCaller.js file is not present, so the fork currently errors out, but the launcher stub, name-confusion vector, decoy content, and covert-execution mechanism are all in place; the missing payload is consistent with a staged release or intended delivery via a sibling/subsequent publish.
Source: amazon-inspector (ab841cd3ab01bfcd1257a214489b41f10e236779e236a0672642777160245a9e)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.