-= Per source details. Do not edit below this line.=-
Package name typosquats chai-as-promised while its package.json advertises unrelated logger/vulnerability-management metadata. On require, index.js invokes a middleware() that spawns a detached node child process running lib/initializeCaller.js with stdio ignored and unref()'d. That child decodes a base64-hidden URL (https://tomato-brunhilda-40.tiiny.site/index.json) from a shadowed process.env object, fetches the JS response with a base64-decoded header name x-secret-key, and executes it via new Function.constructor("require", response)(require), granting the remote payload full Node require access. The C2 URL, header name, and header value are stored as base64 to hide them from static analysis.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-13T22:10:30Z",
"versions": [
"7.1.5"
],
"sha256": "fece219fd09d83bc6a41135483cf3ce8cd2769c22e7776c22d0eb97d65852dd5",
"id": "IN-MAL-2026-010346",
"source": "amazon-inspector",
"import_time": "2026-07-13T22:21:57.465408608Z"
}
]
}{
"evidence_files": [
{
"tlsh": "9511c08e61fc200c046512e6b62f18126021e8673d86d5e47acc835b1f9567f7d936df",
"sha256": "23436f977c9bbe6d302f0f94e191b3dfd938e5a0417ec098d38b60b0ed0cb14f",
"path": "lib/initializeCaller.js"
},
{
"tlsh": "02019c60ce788e2304ed25825c2e064376618c135928fc1d32d7512c0fad5bf11bf21d",
"sha256": "cf56691d128cbabaac3fba4c1f6d3d32b7292fdf79b8d3dfa827dd4ca9ac4653",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha1": "b8b12a16da62f891f09f5356c4b41a67568ae83d",
"sha512_sri": "sha512-V5esP/m2nkkYCfR/IMT9tWTylt5y2QLyJOA5ecS2R5Q7fOGmCQ1jK65UX9oihxXcGYetrtll6VReblwwaQ7f4Q=="
},
"filename": "chai-as-verified-7.1.5.tgz"
}
]
}
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-verified/MAL-2026-10504.json"