npm

chai-as-verified @7.1.5

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10504

Ecosystem

npm

Summary

Package name typosquats chai-as-promised while its package.json advertises unrelated logger/vulnerability-management metadata. On require, index.js invokes a middleware() that spawns a detached node child process running lib/initializeCaller.js with stdio ignored and unref()'d. That child decodes a base64-hidden URL (https://tomato-brunhilda-40.tiiny.site/index.json) from a shadowed process.env object, fetches the JS response with a base64-decoded header name x-secret-key , and executes it via new Function.constructor("require", response)(require) , granting the remote payload full Node require access. The C2 URL, header name, and header value are stored as base64 to hide them from static analysis.

Source: amazon-inspector (fece219fd09d83bc6a41135483cf3ce8cd2769c22e7776c22d0eb97d65852dd5)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.