-= Per source details. Do not edit below this line.=-
On require of the package's main entry, index.js detaches a child process that runs lib/initializeCaller.js. That script posts the caller's entire process.env to a base64-obfuscated URL (decoded destination: https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df) using axios, then passes the response body to new Function('require', response.data) and invokes it with the module require — giving the remote endpoint arbitrary code execution on the installer's host with full module access. The package name mimics the chai-as-* family while its metadata advertises a JSON logger, and neither role is implemented in the shipped code; the main entry silently spawns the exfil/RCE task instead of exposing any library API. The bulk-environment upload captures CI secrets, cloud tokens, and API keys that live in process.env in typical build environments.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-15T01:21:59Z",
"source": "amazon-inspector",
"import_time": "2026-07-15T01:37:35.209111713Z",
"versions": [
"3.1.5"
],
"id": "IN-MAL-2026-010594",
"sha256": "a6820ba756fd8d2eb81435c478feb269e34f2aea859e42b42861d0a28f914a1f"
},
{
"modified_time": "2026-07-15T02:52:15Z",
"source": "amazon-inspector",
"import_time": "2026-07-15T03:07:36.015467239Z",
"versions": [
"3.1.6"
],
"id": "IN-MAL-2026-010595",
"sha256": "a822ae725d0887baa11e83624e59f504c11659322a343230ac0cb66c8d5f5c4b"
}
]
}{
"package_integrity": [
{
"filename": "chai-as-byte-3.1.5.tgz",
"hashes": {
"sha512_sri": "sha512-Ubm7Hg9m7G6G0FWA3pLEwjUKOCoIXvruCEmO/HZqbP7ft+y0n/Ihy/WJ1FOUtLc0cOA1Id2hBFXHwC80PtABDg==",
"sha1": "afe410ec66cf5e753c85deab9414d31c3f9e9306"
}
}
],
"evidence_files": [
{
"tlsh": "dff0e14d24ba2039426e58e2bf1b18461403f9223381d861f7cd936e0f8dc0dea636c8",
"path": "lib/initializeCaller.js",
"sha256": "0a22e7a21ac873219d858746d8b32c2e4ba926f598e05fd06a617c792e440f03"
},
{
"tlsh": "30017620dab88e2300ed25924c2a0643ba664c179528fd2932dba12c4fad5fb01bf21d",
"path": "package.json",
"sha256": "b49a51495f34bbea0e43a32fd52e668a119407d6ef5888f39bc0d0072e11f94f"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-byte/MAL-2026-10630.json"
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]