-= Per source details. Do not edit below this line.=-
chai-as-balanced is a typosquat of chai-as-promised (also impersonating pino via README/badges/exports) that ships a remote code execution dropper. lib/const.js defines a fake process.env object whose DEVAPIKEY value is a base64-encoded URL to api.jsonstorage.net (an anonymous, attacker-mutable JSON storage service). lib/caller.js base64-decodes that URL, GETs the JSON blob using an obfuscated x-secret-key header, extracts the cookie field, and executes it via new Function.constructor('require', s)(require) — granting the fetched payload full Node privileges and access to the real require. index.js triggers this by spawning lib/caller.js as a detached, stdio-ignored child with child.unref(), so the dropper runs in the background and outlives the parent invocation, concealing execution from the caller. Because the payload source is anonymous and mutable, the executed code can change at any time without a new package release. Installers who mistype chai-as-promised as chai-as-balanced and invoke the exported middleware receive arbitrary attacker-controlled code execution.
{
"malicious-packages-origins": [
{
"versions": [
"2.2.3"
],
"id": "IN-MAL-2026-009127",
"import_time": "2026-07-09T16:20:43.327874262Z",
"modified_time": "2026-07-09T15:32:15Z",
"sha256": "562ae39db73c30faea0a6d84cda0fe0b68d60d7bfa863f769edcdb620e30b0a1",
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "chai-as-balanced-2.2.3.tgz",
"hashes": {
"sha512_sri": "sha512-bZNaRva43f278eHyMyzxK6cs1CvA4fUILrD3I8cqZH4kjB0bCS/GB+QiBZCNAiuS+P1RtARMxvy+mgFvasZdBw==",
"sha1": "4d451a1ca60287d45951989330b5481ef521919a"
}
}
],
"evidence_files": [
{
"tlsh": "b501c29934fe501c015111e9171fb1326050e4773986d6c8374c87029fa667e6e93adf",
"sha256": "6c87c9848b319c905ed8db467c1b8535c83c4afed4391d6df3b2c0c0f3de76e2",
"path": "lib/caller.js"
},
{
"tlsh": "1b5195a783e47b6e4b6300a1a1c375a5ff1f931cfb6a606ddcd891290319897813150a",
"sha256": "a42a28a6711aedfb391c88327cf6b854e3e75c7a3b26b30da997849984abab65",
"path": "README.md"
},
{
"tlsh": "5d213c81b9f11188065cd9c8b569e53a38e3c4377207b9b0e9ec87862bcf2080272ad7",
"sha256": "2956b023858d706a5e241cd28b845088e5f414c5f70bd5d8cb73cb427d081065",
"path": "index.js"
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-balanced/MAL-2026-10040.json"