chai-chain-dom @1.3.9
Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC
OSV ID
MAL-2026-6919
Ecosystem
npm
Summary
Package impersonates the pino logger (exports module.exports.pino, README uses pino badge, keywords mimic pino) but its actual behavior is a remote code loader. When a consumer requires the package and invokes the exported middleware/pino function, index.js spawns a detached node lib/caller.js subprocess (detached:true, stdio:ignore, child.unref()) to hide the activity from the parent process. lib/caller.js then performs an axios GET against https://jsonkeeper.com/b/HIOEN, takes the returned JavaScript from the response's model field, and evaluates it via new Function.constructor("require", src) , passing the live require — granting the remotely fetched attacker-controlled code full Node capability (filesystem, network, child_process, environment). jsonkeeper.com is a public paste service whose content the author can change at any time, so the payload is unpinned and mutable. The masquerade-as-pino name and the detached/stdio-ignored spawn indirection are consistent with deliberate delivery of arbitrary code to installers.
Source: amazon-inspector (f1964693dd7c2bdd9ca7ae20eb441597571b1b78a689bd97648998c6442bda99)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.