npm

chai-as-serialized @7.0.8

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10044

Ecosystem

npm

Summary

The package's main entry (index.js) spawns a detached node child process running lib/initializeCaller.js as a side effect of invoking the exported middleware factory. lib/initializeCaller.js constructs a fake process.env object whose fields hold base64 blobs; DEV_API_KEY decodes to https://tomato-brunhilda-40.tiiny.site/index.json and DEV_SECRET_KEY/DEV_SECRET_VALUE decode to an x-secret-key request header. The script fetches the JSON body from that anonymous host and executes it via new Function.constructor("require", response)(require) , granting the remote host arbitrary code execution with require access in the installer/consumer's Node process. The package name mimics chai-as-promised and the README is copied from pino (pino badges, pino narrative, keywords fast,logger,stream,json ), while the shipped code has no relation to either — the impersonation is a lure to attract installs to a remote-code-execution dropper. Base64-encoding of the C2 URL and header, disguised as environment-variable configuration, confirms hostile intent.

Source: amazon-inspector (30e48e8980927471640c6573406d988d1a4361759f14a952da36c5daa1c9fd3c)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.