chai-redirection @0.0.1
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC
OSV ID
MAL-2026-6995
Ecosystem
npm
Summary
chai-redirection presents itself as a chai assertion plugin but its main entry (index.js) unconditionally spawns a detached Node child process running lib/caller.js the moment the package is required. caller.js issues an HTTPS GET to https://www.jsonkeeper.com/b/PC5CK (a mutable pastebin-style host) and passes the response body's cookie field to new Function('require', res.data.cookie)(require) , executing attacker-controlled JavaScript in the installer's Node process with full require access. A secondary code path builds a URL from lib/config values, and on a 404 response whose body carries a token field, constructs new Function.constructor('require', res.token) and invokes it with require — a second remote-code-execution channel. The advertised chai plugin API (validJWT, safeString, etc.) is a cover story: the loader runs before any exports are used, so merely requiring this package as a chai plugin triggers remote code execution. The mutable pastebin source means today's payload can be replaced with anything at any time without republishing the package.
Source: amazon-inspector (38236fbbdbbaa8f8ed9315c3a4ff01fbf049215896036b1cb68611681fe0eb00)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.