chai-as-smart @2.3.5
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10046
Ecosystem
npm
Summary
On require, index.js spawns lib/initializeCaller.js as a detached background process. That script decodes a base64-hidden URL (https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df), POSTs the caller's full process.env to that endpoint via axios, and then passes the HTTP response body into new Function('require', response.data) and immediately invokes it with the real require , giving the remote server arbitrary code execution inside the installer's Node.js process. The C2 URL and headers are stored as base64 inside fake object literals labeled DEV_API_KEY/DEV_SECRET_KEY, and the package name and package.json keywords (fast, logger, stream, json) masquerade as a pino-style logger middleware to lure installers into requiring it. The combined behavior — environment-variable exfiltration to a hardcoded attacker endpoint plus remote-fetched code execution with full require access — compromises any machine that installs or imports this package, exposing tokens, cloud credentials, and CI secrets and enabling full follow-on RCE.
Source: amazon-inspector (bbeb8dc929ba80789f3386d489e22fc4efa5fa43b2901a4d6aa8524c03168a58)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.