npm

chain-await-dom @1.3.4

Vulnerability report · Last retrieved from osv.dev July 12, 2026 at 11:38 PM UTC

Malicious

OSV ID

MAL-2026-10202

Ecosystem

npm

Summary

The package's declared main entry index.js exports a factory check() that spawns a detached, unreferenced Node child process running lib/vcall.js , then returns a noop Express-shaped middleware as cover. lib/vcall.js fetches JavaScript from https://api.jsonsilo.com/public/c6c0b393-932f-4ae1-8fca-23c6747f4acc (a mutable JSON-storage endpoint) and executes the response body via new Function.constructor('require', src)(require) , with up to 5 retries. lib/constants.js also stores a base64-encoded secondary endpoint DEV_API_KEY decoding to https://jsonkeeper.com/b/ZK45J , consistent with fallback/staged remote-execution infrastructure. The module additionally re-exports the factory as module.exports.pino = check , mimicking the pino logger API, while the package name ( chain-await-dom ) and README describe unrelated functionality. Any consumer that requires this package triggers arbitrary remote code execution with full Node privileges; the detached+unref child process persists beyond the parent.

Source: amazon-inspector (c7412987df7a746c9128ca807cbd2222b340e3b4f8397620348fc62606a0f2b5)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.