npm

chai-as-staged @6.0.4

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10047

Ecosystem

npm

Summary

Package name impersonates the popular chai-as-promised testing library and the README is copied from pino . The advertised usage chai.use(chaiAsStaged) triggers a detached node child process that runs lib/initializeCaller.js . That file hides its C2 endpoint and a custom HTTP header name/value as base64 strings stored under decoy names ( DEV_API_KEY , DEV_SECRET_KEY , DEV_SECRET_VALUE ) inside a fake local process object; at runtime it base64-decodes the URL to https://amethyst-lorrin-26.tiiny.site/index.json , fetches it with the obfuscated header, extracts the .cookie field from the JSON response, and executes the returned JavaScript via new Function.constructor('require', response)(require) in a retry loop. Attacker-controlled code is therefore executed on the installer's machine with full require access whenever the library is used as documented. The combination of name/README impersonation, base64-obfuscated C2 on an anonymous static-hosting host, and dynamic code construction with require removes any benign interpretation.

Source: amazon-inspector (84d908f9158abcdd631b569f812b06cb59a1788f2435dd05a47fd39021d60a49)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.