chai-as-operated @6.0.3
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6350
Ecosystem
npm
Summary
Package name impersonates the widely-used chai-as-promised (README instructs chai.use(chaiAsOperated) ) and the README badges further impersonate pino (npm/GitHub Actions shields point at pinojs/pino). On require('chai-as-operated') , index.js exposes a middleware factory that spawns a detached node./lib/initializeCaller.js . That script defines a fake process object containing base64-obfuscated values ( DEV_API_KEY decodes to https://amethyst-lorrin-26.tiiny.site/index.json , plus obfuscated x-secret-key header credentials), then performs axios.get(apiEndpoint,...) and executes the response body via new Function.constructor('require', response)(require) with retry logic. The remote payload runs with full Node require access in a detached background process. The destination is a free tiiny.site host — author-mutable, anonymous infrastructure — and the URL is hidden behind base64 to evade casual review and string scanners. This is a classic typosquat + remote-execution dropper.
Source: amazon-inspector (927e5f9d908ce243e10ddf51e2463ac96c6f685790ec9f35dcc7309c90ad8407)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.