npm

chai-promised-test @1.3.5

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10052

Ecosystem

npm

Summary

Package masquerades as a chai-as-promised plugin / pino logger (README and exports copied from pino, including module.exports.pino = middleware ) but on use spawns a detached Node process running lib/caller.js, which fetches a string from https://jsonkeeper.com/b/EXSIF and executes it via new Function.constructor("require", s)(require) . The fetched code runs with full Node privileges (require, fs, child_process, network). The C2 URL and request headers are concealed by shadowing the local process object with fields named DEV_API_KEY / DEV_SECRET_KEY / DEV_SECRET_VALUE , and lib/const.js carries base64-encoded equivalents that decode to a second jsonkeeper.com paste and the header name x-secret-key . The remote paste is mutable and attacker-controlled, allowing arbitrary code execution on the installer's machine. Identity confusion with chai-as-promised / pino indicates the package exists to be installed by mistake.

Source: amazon-inspector (1ddaac3e93ed2e5d968816cf3153b2ab1878580bb9ee65ec3ec1acdca41dc018)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.