-= Per source details. Do not edit below this line.=-
Package name is a 1-2 character variant of the widely-used chai-as-promised plugin. The exported function — the entry point users pass to chai.use(...) per the copied pino README — invokes a runBackgroundTask helper that spawns a detached node subprocess (detached: true, stdio: 'ignore', child.unref()) running a sibling ./lib/initializeCaller.js, then returns a no-op pass-through middleware. The detached, unref'd child is decoupled from the parent test runner and outlives it — an out-of-band execution channel that has no relationship to the advertised purpose of a chai assertion plugin. The lib/ directory ships a verbatim copy of unrelated pino source as decoy content, and the README is copied from pinojs/pino. In this specific tarball the referenced ./lib/initializeCaller.js file is not present, so the fork currently errors out, but the launcher stub, name-confusion vector, decoy content, and covert-execution mechanism are all in place; the missing payload is consistent with a staged release or intended delivery via a sibling/subsequent publish.
{
"malicious-packages-origins": [
{
"sha256": "ab841cd3ab01bfcd1257a214489b41f10e236779e236a0672642777160245a9e",
"id": "IN-MAL-2026-009145",
"modified_time": "2026-07-09T15:34:58Z",
"versions": [
"6.0.4"
],
"import_time": "2026-07-09T16:20:45.342198505Z",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"tlsh": "0f318545b5f21259126d98c4f6b4a5263cdf9437331b76b1cded93952bce2080032bc7",
"sha256": "1f51184c197102444a2c8a23e4a8e54a6479750420512922fcb5d5f795c33911",
"path": "index.js"
}
],
"package_integrity": [
{
"filename": "chai-as-modified-6.0.4.tgz",
"hashes": {
"sha512_sri": "sha512-pZVE0B3+ZBcBLup07BG7RtfwDOw+T+zeX7zXpYyxXgdxdBq1ETOCqI6rLe1AcMLV2A47dL8QbsNv2/B4OfClmA==",
"sha1": "55ab6b27cdb0e54c6a6546298dbed06e77f46c34"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-modified/MAL-2026-10043.json"