-= Per source details. Do not edit below this line.=-
The package presents itself as pino-style logging middleware but on require() spawns a detached Node child that runs lib/initializeCaller.js. That script base64-decodes a hardcoded URL (stored as a fake DEVAPIKEY constant) resolving to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df, POSTs the entire process.env object to it with an x-secret-header, and then passes the HTTP response body to new Function("require", response.data) and invokes it with the local require. This gives the remote host arbitrary code execution inside the installer's Node process with full environment/credential access. The base64 obfuscation of the endpoint, the disguised middleware cover story, and the name resembling chai/chai-as-promised are consistent with a typosquat supply-chain attack.
{
"malicious-packages-origins": [
{
"versions": [
"2.3.5"
],
"id": "IN-MAL-2026-009714",
"import_time": "2026-07-10T21:26:06.007803703Z",
"modified_time": "2026-07-10T21:24:50Z",
"sha256": "cecfd3091225b3667317dd9da8fd56c4f5e7fc675e17d52cda601898b3a50ec2",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "fc61b0ed62e346bfbb5e1e093e475d8b3065247dc8d315f0ea4e7cafd9661bad",
"tlsh": "f921f38e15fe101d066751e6bb2f24027022e8133946d4a47bcc835b1fc966e99936df",
"path": "lib/initializeCaller.js"
}
],
"package_integrity": [
{
"filename": "chai-as-doc-2.3.5.tgz",
"hashes": {
"sha512_sri": "sha512-mn+k+zE6L5wdiEpurZCLNXuBEwiJdgozfMwqe+9pnoeS4HGjnMMCfFxT2HGKrXiAV13WCU9rANeJShKIXv4EhA==",
"sha1": "2ff81e9aa495165d5a93b34d754ea5d4b50ea698"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-doc/MAL-2026-10175.json"