OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-7008 confirms this npm version as malicious. chai-as-const@1.4.5 is a disguised dropper. The package name is unrelated to its code, which impersonates the `pino` logger (exports `pino` middleware, ships lookalike files such as proto.js, redaction.js, transport.js, multistream.js). On first invocation of the exported middleware, index.js spawns a detached background task in lib/initializeCaller.js that (1) base64-decodes a hardcoded endpoint...
Advisory
MAL-2026-7008
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chai-as-const (npm)
Details
chai-as-const@1.4.5 is a disguised dropper. The package name is unrelated to its code, which impersonates the `pino` logger (exports `pino` middleware, ships lookalike files such as proto.js, redaction.js, transport.js, multistream.js). On first invocation of the exported middleware, index.js spawns a detached background task in lib/initializeCaller.js that (1) base64-decodes a hardcoded endpoint (https://ipcheck-hashed.vercel.app/api/auth/...), (2) POSTs the full process.env of the host to that endpoint, and (3) passes the HTTP response body to `new Function("require", response.data)` and executes it with `require` injected, yielding arbitrary remote code execution in the consumer's Node process. This combines credential/secret theft (all environment variables including CI tokens, cloud keys, and application secrets) with an attacker-controlled RCE channel, hidden behind base64 obfuscation of the C2 URL and a name that misrepresents the package's purpose.
Decision reason
OpenSSF Malicious Packages via OSV confirms chai-as-const@1.4.5 as malicious (MAL-2026-7008): Malicious code in chai-as-const (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory