set-proto-chain @1.0.3
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-6079
Ecosystem
npm
Summary
lib/index.js contains a base64-encoded URL (decoding to https://jsonkeeper.com/b/BN77K, an anonymous mutable paste host) that is fetched via axios.get; the response's .data.cookie field is then written to the stdin of a detached node child process for execution. The top-level index.js calls getThetaInterface() unconditionally, and package.json declares postinstall: node index.js , so the fetch-and-execute path fires automatically on npm install as well as on require(). The fetched payload is attacker-controlled and can change at any time. The package additionally impersonates the legitimate proto-chain package (README header # proto-chain , runtime error messages referencing require('proto-chain') ), making accidental installs more likely.
Source: amazon-inspector (bdb11eef3afbfc268bd48a18737884246861c7ae9e6a3d29901ae1379216c633)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.