npm

chai-as-smart @2.3.5

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10046

Ecosystem

npm

Summary

On require, index.js spawns lib/initializeCaller.js as a detached background process. That script decodes a base64-hidden URL (https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df), POSTs the caller's full process.env to that endpoint via axios, and then passes the HTTP response body into new Function('require', response.data) and immediately invokes it with the real require , giving the remote server arbitrary code execution inside the installer's Node.js process. The C2 URL and headers are stored as base64 inside fake object literals labeled DEV_API_KEY/DEV_SECRET_KEY, and the package name and package.json keywords (fast, logger, stream, json) masquerade as a pino-style logger middleware to lure installers into requiring it. The combined behavior — environment-variable exfiltration to a hardcoded attacker endpoint plus remote-fetched code execution with full require access — compromises any machine that installs or imports this package, exposing tokens, cloud credentials, and CI secrets and enabling full follow-on RCE.

Source: amazon-inspector (bbeb8dc929ba80789f3386d489e22fc4efa5fa43b2901a4d6aa8524c03168a58)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.