chai-as-synced @6.0.3
Vulnerability report · Last retrieved from osv.dev June 26, 2026 at 2:48 PM UTC
OSV ID
MAL-2026-6497
Ecosystem
npm
Summary
Package name 'chai-as-synced' impersonates the well-known 'chai-as-promised'. On require, index.js spawns a detached, stdio-ignored Node child running lib/initializeCaller.js. That script decodes a base64-obfuscated URL (https://amethyst-lorrin-26.tiiny.site/index.json) and an 'x-secret-key' header literal stored inside a fake local process.env object, performs an HTTPS GET to that anonymous static-hosting endpoint, and passes the returned 'cookie' field to new Function.constructor(...) invoked with require injected, retried up to 5 times. The fetched JavaScript runs in the installer's Node process with full require access. The destination obfuscation, detached/unref'd child, and hidden stdio together indicate a covert loader; the declared dependencies (sqlite3, request, axios) and package keywords do not match the advertised purpose.
Source: amazon-inspector (7bc0ee3e6a8341e046b84880f9faf0a4750f4a261a791b95d1267066d7828071)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.