-= Per source details. Do not edit below this line.=-
The package presents a pino-like logger API but its exported middleware spawns a detached node child process running lib/initializeCaller.js. That script base64-decodes a hardcoded URL (https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df) stored in a fake process.env object, POSTs the full process.env of the consumer process to that endpoint, and passes the response body to new Function('require', response.data) invoked with the package's require. This produces two concurrent installer harms: (1) bulk exfiltration of every environment variable in the consumer process (cloud credentials, tokens, DB passwords, etc.) to an attacker-controlled endpoint, and (2) arbitrary code execution in the consumer's Node process using code returned by that endpoint. Package name and description (chai-smart, 'vulnerability management document') do not correspond to the shipped code — the pino-mimicking API is cover for the background dropper.
{
"malicious-packages-origins": [
{
"sha256": "28e7b8eaee41f8a9717775967be05791e0daf3f5f3e5070ac28c6a2f544fcc02",
"id": "IN-MAL-2026-009122",
"import_time": "2026-07-09T16:20:42.788191053Z",
"versions": [
"2.3.5"
],
"modified_time": "2026-07-09T15:31:31Z",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "fc61b0ed62e346bfbb5e1e093e475d8b3065247dc8d315f0ea4e7cafd9661bad",
"tlsh": "f921f38e15fe101d066751e6bb2f24027022e8133946d4a47bcc835b1fc966e99936df",
"path": "lib/initializeCaller.js"
},
{
"tlsh": "0f318545b5f21259126d98c4f6b4a5263cdf9437331b76b1cded93952bce2080032bc7",
"sha256": "1f51184c197102444a2c8a23e4a8e54a6479750420512922fcb5d5f795c33911",
"path": "index.js"
}
],
"package_integrity": [
{
"filename": "chai-smart-2.3.5.tgz",
"hashes": {
"sha512_sri": "sha512-fAFsBFm2ygqwjeVftBro02nyDsagswQih4X+VYdF0BiLgoTr1C2TDFNZHqRAL357AbHctupTuSLEo5Edzdt24g==",
"sha1": "87170c1699874b68f1befcadf75f7100e43c402c"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-smart/MAL-2026-10054.json"