MAL-2026-7008

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-const/MAL-2026-7008.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-7008
Published
2026-07-08T17:30:45Z
Modified
2026-07-08T17:46:44.895351141Z
Summary
Malicious code in chai-as-const (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (f2c70991a87f00f1b25b85243d1984fcb2562dc2c34f0c5514827b3660350294)

chai-as-const@1.4.5 is a disguised dropper. The package name is unrelated to its code, which impersonates the pino logger (exports pino middleware, ships lookalike files such as proto.js, redaction.js, transport.js, multistream.js). On first invocation of the exported middleware, index.js spawns a detached background task in lib/initializeCaller.js that (1) base64-decodes a hardcoded endpoint (https://ipcheck-hashed.vercel.app/api/auth/...), (2) POSTs the full process.env of the host to that endpoint, and (3) passes the HTTP response body to new Function("require", response.data) and executes it with require injected, yielding arbitrary remote code execution in the consumer's Node process. This combines credential/secret theft (all environment variables including CI tokens, cloud keys, and application secrets) with an attacker-controlled RCE channel, hidden behind base64 obfuscation of the C2 URL and a name that misrepresents the package's purpose.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "f2c70991a87f00f1b25b85243d1984fcb2562dc2c34f0c5514827b3660350294",
            "id": "IN-MAL-2026-008170",
            "import_time": "2026-07-08T17:40:19.766114169Z",
            "versions": [
                "1.4.5"
            ],
            "modified_time": "2026-07-08T17:30:45Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / chai-as-const

Package

Affected ranges

Affected versions

1.*
1.4.5

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "266ef59f0542299b456e1d925e6c2c7f8db3b184ea9ca71e36bc037001a6d4f6",
            "tlsh": "51f0874d34b61036426e58e1bb1b54565403f56137c0d855f2cd536b0f4ed4df6636d4",
            "path": "lib/initializeCaller.js"
        },
        {
            "sha256": "1f51184c197102444a2c8a23e4a8e54a6479750420512922fcb5d5f795c33911",
            "tlsh": "0f318545b5f21259126d98c4f6b4a5263cdf9437331b76b1cded93952bce2080032bc7",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "chai-as-const-1.4.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-z4rAyWeHd9hq5pwdfVlrwSQgdbumLMbIi2ykrntPIVW8nNUjjz/Cho2Cw1kOoyfgV7XvJ42QqrvW7MSl/Oo2ng==",
                "sha1": "68eb7bc8361e2c6f070d012cb7318f85551b47ed"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-const/MAL-2026-7008.json"