registry  /  chai-as-byte  /  3.1.6

chai-as-byte@3.1.6

This document describes the management of vulnerabilities for the project and all modules within the organization.

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10630 confirms this npm version as malicious. On require of the package's main entry, index.js detaches a child process that runs lib/initializeCaller.js. That script posts the caller's entire process.env to a base64-obfuscated URL (decoded destination: https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df) using axios, then passes the response body to `new Function('require', response.data)` and invokes it with the module `require` — giving the...

Advisory
MAL-2026-10630
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chai-as-byte (npm)
Details
On require of the package's main entry, index.js detaches a child process that runs lib/initializeCaller.js. That script posts the caller's entire process.env to a base64-obfuscated URL (decoded destination: https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df) using axios, then passes the response body to `new Function('require', response.data)` and invokes it with the module `require` — giving the remote endpoint arbitrary code execution on the installer's host with full module access. The package name mimics the chai-as-* family while its metadata advertises a JSON logger, and neither role is implemented in the shipped code; the main entry silently spawns the exfil/RCE task instead of exposing any library API. The bulk-environment upload captures CI secrets, cloud tokens, and API keys that live in process.env in typical build environments.
Decision reason
OpenSSF Malicious Packages via OSV confirms chai-as-byte@3.1.6 as malicious (MAL-2026-10630): Malicious code in chai-as-byte (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory