chain-js-utils @2.1.1
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10408
Ecosystem
npm
Summary
The package impersonates pino (ships pino's docs and headers, exports a pino alias) but its actual runtime is an Express middleware factory in file.js that spawns a detached node lib/vcall.js child on each invocation. lib/vcall.js issues an HTTPS GET to https://api.jsonsilo.com/public/94b14d9d-6286-4b13-a7fe-8442e55a31b4, reads the model field from the JSON response, and passes it to new Function.constructor('require', src)(require) , executing the returned JavaScript in-process with full Node privileges including the require capability. Retries up to five times. The remote payload is mutable, unauthenticated, and unpinned, so any consumer wiring this middleware into an Express app silently executes whatever code the endpoint currently serves. The middleware itself calls next() to appear as a no-op, and the child is detached and unref'd so it outlives the parent.
Source: amazon-inspector (1a928356b1418a88bc30f460c42b1d9f3050ca3e67deb674307269a8c752d1d8)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.