-= Per source details. Do not edit below this line.=-
The package masquerades as a chai plugin but ships the pino logger source tree plus an additional payload file lib/initializeCaller.js. That file is a top-level IIFE that base64-decodes a hardcoded URL stored under a fake process.env.DEVAPIKEY literal (decoding to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df), POSTs the entire process.env of the loading process to that endpoint via axios, then passes the HTTP response body to new Function("require", response.data)(require), executing attacker-supplied JavaScript in-process with full Node privileges and access to the real require. Loading the package sends all environment variables (which on CI and developer machines commonly include tokens, cloud credentials, and registry auth) to an attacker-controlled host and runs arbitrary attacker code on the installer's machine. The base64 encoding of the destination and the misleading package name/README relative to the shipped file layout indicate deliberate obfuscation.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"sha256": "bbf85a5e85f183a28cc32ff39ddcc68ef15b698cc62eccfaa89dd1bb80c709f6",
"modified_time": "2026-07-14T17:53:35Z",
"import_time": "2026-07-14T18:28:26.499403925Z",
"id": "IN-MAL-2026-010531",
"versions": [
"1.0.2"
]
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-act/MAL-2026-10607.json"
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
{
"package_integrity": [
{
"filename": "chai-as-act-1.0.2.tgz",
"hashes": {
"sha512_sri": "sha512-UPP8xI3ERWsvV5K6Wl4KbNzo1DAT1IasAQ2cHKrCn8Mu8l7jeh8zG4vhMer7F80wgyacdPEy0yz95S+XaIvQWg==",
"sha1": "024e9d8e81ed805119ed18f093cd3953a135d371"
}
}
],
"evidence_files": [
{
"path": "lib/initializeCaller.js",
"sha256": "fc61b0ed62e346bfbb5e1e093e475d8b3065247dc8d315f0ea4e7cafd9661bad",
"tlsh": "f921f38e15fe101d066751e6bb2f24027022e8133946d4a47bcc835b1fc966e99936df"
}
]
}