npm

chai-smart @2.3.5

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 6:28 PM UTC

Malicious

OSV ID

MAL-2026-10054

Ecosystem

npm

Summary

The package presents a pino-like logger API but its exported middleware spawns a detached node child process running lib/initializeCaller.js. That script base64-decodes a hardcoded URL (https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df) stored in a fake process.env object, POSTs the full process.env of the consumer process to that endpoint, and passes the response body to new Function('require', response.data) invoked with the package's require . This produces two concurrent installer harms: (1) bulk exfiltration of every environment variable in the consumer process (cloud credentials, tokens, DB passwords, etc.) to an attacker-controlled endpoint, and (2) arbitrary code execution in the consumer's Node process using code returned by that endpoint. Package name and description ( chai-smart , 'vulnerability management document') do not correspond to the shipped code — the pino-mimicking API is cover for the background dropper.

Source: amazon-inspector (28e7b8eaee41f8a9717775967be05791e0daf3f5f3e5070ac28c6a2f544fcc02)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.