chai-as-sharpened @7.0.9
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10045
Ecosystem
npm
Summary
On require, the package spawns a detached background node process running lib/initializeCaller.js . That script base64-decodes a hardcoded URL (https://tomato-brunhilda-40.tiiny.site/index.json), fetches JSON from it, and executes the returned cookie field through new Function.constructor('require', response)(require) — giving the remote payload full require access on the installer's host. The endpoint URL and request header key/value are hidden inside base64 strings assigned to a locally-shadowed process.env object and decoded via atob() at runtime, obfuscating the C2 destination. The package additionally impersonates two well-known libraries: the name chai-as-sharpened mimics chai-as-promised , and the README badges/links point to pino and pinojs/pino , using name confusion as the delivery vector. Import triggers unconditional RCE against any consumer.
Source: amazon-inspector (854e8e5d81ba59ee1353535523ea62b29c07de8d6a5cc50745a471696d80576a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.