chai-as-thread @7.0.8
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-10048
Ecosystem
npm
Summary
On require, the package spawns a detached node child that runs lib/initializeCaller.js. That script decodes a base64-obscured URL (https://tomato-brunhilda-40.tiiny.site/index.json) and base64-obscured header credentials, fetches JSON from the endpoint via axios, and executes the returned cookie field with full require access using new Function.constructor("require", response)(require) . The remote host is an anonymous tiiny.site subdomain that can serve arbitrary code at any time. The package name mimics chai-as-promised and the README impersonates the pino logger project, indicating a typosquat lure delivering a remote-code-execution dropper.
Source: amazon-inspector (d69f1826d6866410cdfe11e20cff630d3f0118d48c0cc9f697297aa64d29b341)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.