MAL-2026-10219

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-precision/MAL-2026-10219.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10219
Published
2026-07-13T04:16:07Z
Modified
2026-07-13T05:01:59.934343203Z
Summary
Malicious code in chai-as-precision (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f8b5d1218fae5d91755d8f9ca8ed37983e7d589c6fd88012d3ddb29a84a2cc56)

Package is published as chai-as-precision but its shipped code mimics pino (exports middleware.pino, ships pino.js/proto.js/redaction.js), a name/purpose mismatch consistent with typosquatting or masquerade for transitive installation. When the exported middleware is invoked, index.js spawns node lib/initializeCaller.js with detached: true, stdio: 'ignore', and child.unref(), decoupling the child from the parent and suppressing output. lib/initializeCaller.js shadows process with a local object whose DEV_API_KEY is a base64 blob decoding to https://tomato-brunhilda-40.tiiny.site/index.json, GETs that URL, and executes the returned cookie field via new Function.constructor('require', response)(require) — arbitrary attacker-controlled JavaScript is executed with full require access on the host running the middleware. The destination is an anonymous tiiny.site host unrelated to any documented purpose, the URL and custom auth header are base64-hidden behind a fake env-var wrapper, and the executed content is mutable and controlled by whoever owns the tiiny.site page.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "f8b5d1218fae5d91755d8f9ca8ed37983e7d589c6fd88012d3ddb29a84a2cc56",
            "id": "IN-MAL-2026-009791",
            "import_time": "2026-07-13T04:43:12.803008019Z",
            "modified_time": "2026-07-13T04:16:07Z",
            "versions": [
                "7.0.6"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / chai-as-precision

Package

Affected ranges

Affected versions

7.*
7.0.6

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "23436f977c9bbe6d302f0f94e191b3dfd938e5a0417ec098d38b60b0ed0cb14f",
            "tlsh": "9511c08e61fc200c046512e6b62f18126021e8673d86d5e47acc835b1f9567f7d936df",
            "path": "lib/initializeCaller.js"
        },
        {
            "sha256": "95a5e69b4d84d1f04654008f2cf649b8b5a80b1e49fca038a8f305076d166d82",
            "tlsh": "35019c20de788e2300ed25825c2a0643b6719c179928fd1932d7512c0f9e4bf05bf21d",
            "path": "package.json"
        },
        {
            "tlsh": "0f318545b5f21259126d98c4f6b4a5263cdf9437331b76b1cded93952bce2080032bc7",
            "sha256": "1f51184c197102444a2c8a23e4a8e54a6479750420512922fcb5d5f795c33911",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "chai-as-precision-7.0.6.tgz",
            "hashes": {
                "sha512_sri": "sha512-czuo+QDm8qSMstomCrmn53KtrOg1udhLk/V0jGnPIvGMwGouX1QqVY2NrFVWUibqpg+UwT66oxQh2wYCXUWKuQ==",
                "sha1": "73f07084423eb5fa5fb0ac8ecc504ee2b3791005"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-precision/MAL-2026-10219.json"