MAL-2026-10048

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-thread/MAL-2026-10048.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10048
Published
2026-07-09T15:32:23Z
Modified
2026-07-09T16:31:53.240317499Z
Summary
Malicious code in chai-as-thread (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d69f1826d6866410cdfe11e20cff630d3f0118d48c0cc9f697297aa64d29b341)

On require, the package spawns a detached node child that runs lib/initializeCaller.js. That script decodes a base64-obscured URL (https://tomato-brunhilda-40.tiiny.site/index.json) and base64-obscured header credentials, fetches JSON from the endpoint via axios, and executes the returned cookie field with full require access using new Function.constructor("require", response)(require). The remote host is an anonymous tiiny.site subdomain that can serve arbitrary code at any time. The package name mimics chai-as-promised and the README impersonates the pino logger project, indicating a typosquat lure delivering a remote-code-execution dropper.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "7.0.8"
            ],
            "id": "IN-MAL-2026-009128",
            "import_time": "2026-07-09T16:20:43.428258373Z",
            "modified_time": "2026-07-09T15:32:23Z",
            "sha256": "d69f1826d6866410cdfe11e20cff630d3f0118d48c0cc9f697297aa64d29b341",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / chai-as-thread

Package

Affected ranges

Affected versions

7.*
7.0.8

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "chai-as-thread-7.0.8.tgz",
            "hashes": {
                "sha512_sri": "sha512-6Rr8bVjZOkWGmlVtTM4Cu+719Bt9mGWEFWA4dGz8GRtOMxyDG1WnXDaEiwPsR/DIyjVHbd24LB46Q1fIEsijtQ==",
                "sha1": "2470c0da0bbf88ee7b2e7ba5322f24983b05f118"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "23436f977c9bbe6d302f0f94e191b3dfd938e5a0417ec098d38b60b0ed0cb14f",
            "tlsh": "9511c08e61fc200c046512e6b62f18126021e8673d86d5e47acc835b1f9567f7d936df",
            "path": "lib/initializeCaller.js"
        },
        {
            "tlsh": "bf019c60ce788e6300ed25824c2a064376629c135928fc1932d7512c0f9d5bf01bf21d",
            "sha256": "16af2fc511eb38e81523fa6c576bed03d46148ea46a779e32863c892276b0d5d",
            "path": "package.json"
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-thread/MAL-2026-10048.json"