MAL-2026-10082

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chain-async-dom/MAL-2026-10082.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10082
Published
2026-07-09T17:02:16Z
Modified
2026-07-09T17:31:58.323215966Z
Summary
Malicious code in chain-async-dom (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (54cd392461a3d805dd24f6bc67d354498531f9b42352e8e0c17205351dcccf0b)

The package presents itself as a pino-compatible logger (lib/ directory mirrors pino's internal file layout — proto.js, levels.js, redaction.js, multistream.js, transport.js, tools.js, symbols.js, worker.js; keywords 'fast,logger,stream,json'; module.exports.pino alias) but its main entry index.js exports a middleware-style check function that, when invoked, spawns a detached node lib/vcall.js subprocess with stdio:'inherit' and child.unref() so the loader survives the parent process. lib/vcall.js retrieves JavaScript from a hardcoded IPFS gateway URL (https://emerald-accurate-urial-9.mypinata.cloud/ipfs/bafkreify2ijjvromekknzxzvqaopft6muwlpl37mvmpdeazwzzkbjzkuxm) via axios and executes the response body with new Function.constructor('require', src)(require) in a 5-retry loop, giving the fetched code full access to the consumer's Node runtime, filesystem, network, and environment. lib/const.js additionally ships a base64-encoded jsonkeeper paste URL (decodes to https://jsonkeeper.com/b/ZK45J) and a.env with DEVAPICHECK_DOMAIN=http://vercel-five-coral.vercel.app/, staging additional mutable payload channels. The IPFS-served content is attacker-mutable and opaque; consumers who install and invoke this package as advertised (as a logger/middleware) receive arbitrary remote code execution.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "54cd392461a3d805dd24f6bc67d354498531f9b42352e8e0c17205351dcccf0b",
            "id": "IN-MAL-2026-009369",
            "modified_time": "2026-07-09T17:02:16Z",
            "versions": [
                "1.3.6"
            ],
            "import_time": "2026-07-09T17:19:30.05808583Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / chain-async-dom

Package

Affected ranges

Affected versions

1.*
1.3.6

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "d7e5e8df615ad740f90c6ea3cd9f7ab8f80ac996c4eb232c34ce0668d27e8139",
            "tlsh": "7ef09e9f30fb205c577220fa560b45517002e16b7947e99b374cc3914f5985a2573f98",
            "path": "lib/vcall.js"
        },
        {
            "tlsh": "cef0ac4636f5a7a052249e85ea0be8363cc2c4357301edb082cef5d50743a6c86bb5d8",
            "sha256": "a8a42982be73e18609aa4e0c0ff2a27e7fbdb6fed4b48a85daf9231ff667fcca",
            "path": "index.js"
        },
        {
            "sha256": "d9df63e3148d17dd22c278004936914c066e924bd73a96b9844cd4d14012e28a",
            "tlsh": "ad019c60ce788e2304ed25824c2e0643b6718c17a928fc2932db512d4f9e5bf45bf21d",
            "path": "package.json"
        },
        {
            "sha256": "9879ffb0bf61edef7e9b90ddc5fac9770c514c0cdecd9a07b15e8a677e6f8f74",
            "tlsh": "8ac08c8351e4a89704301773610ca995f2a1d26f0c840b0331f594844a396a93840fbb",
            "path": "lib/const.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "chain-async-dom-1.3.6.tgz",
            "hashes": {
                "sha512_sri": "sha512-h9YSe4muyBrOqDVFmk5fSzt2h2Pbw/od8C3lvxygyWLtPYC7aXGcu2TjMKb3Pjys8zNgYfbmKg8vpTBKkttY2w==",
                "sha1": "a7198ea38268fd1104eb5baff96a794618eed96e"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chain-async-dom/MAL-2026-10082.json"