chai-as-sets @3.1.3
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10519
Ecosystem
npm
Summary
The package name and description advertise a chai plugin, but the main entry point spawns a detached child process (lib/initializeCaller.js) when the module is required. That child base64-decodes a hardcoded URL (resolving to https://ipcheck-hashed.vercel.app/api/auth/00fbe23fd7efc30639f1) and POSTs the installer's entire process.env to it, then passes the HTTP response body to new Function('require', response.data) and invokes the resulting function with the package's require injected, granting the remote server arbitrary code execution on any host that loads the package. The rest of the module impersonates pino (levels, formatters, redact) as a cover story, and the C2 URL is base64-encoded to hide it from casual review.
Source: amazon-inspector (e62935357bb620be6ade887e298b5e5bbd6bff0b7a171a79f852d19c58142da4)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.