registry  /  chai-as-precision  /  7.0.6

chai-as-precision@7.0.6

This document describes the management of vulnerabilities for the project and all modules within the organization.

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10219 confirms this npm version as malicious. Package is published as `chai-as-precision` but its shipped code mimics `pino` (exports `middleware.pino`, ships `pino.js`/`proto.js`/`redaction.js`), a name/purpose mismatch consistent with typosquatting or masquerade for transitive installation. When the exported middleware is invoked, `index.js` spawns `node lib/initializeCaller.js` with `detached: true`, `stdio: 'ignore'`, and `child.unref()`, decoupling the...

Advisory
MAL-2026-10219
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chai-as-precision (npm)
Details
Package is published as `chai-as-precision` but its shipped code mimics `pino` (exports `middleware.pino`, ships `pino.js`/`proto.js`/`redaction.js`), a name/purpose mismatch consistent with typosquatting or masquerade for transitive installation. When the exported middleware is invoked, `index.js` spawns `node lib/initializeCaller.js` with `detached: true`, `stdio: 'ignore'`, and `child.unref()`, decoupling the child from the parent and suppressing output. `lib/initializeCaller.js` shadows `process` with a local object whose `DEV_API_KEY` is a base64 blob decoding to `https://tomato-brunhilda-40.tiiny.site/index.json`, GETs that URL, and executes the returned `cookie` field via `new Function.constructor('require', response)(require)` — arbitrary attacker-controlled JavaScript is executed with full `require` access on the host running the middleware. The destination is an anonymous tiiny.site host unrelated to any documented purpose, the URL and custom auth header are base64-hidden behind a fake env-var wrapper, and the executed content is mutable and controlled by whoever owns the tiiny.site page.
Decision reason
OpenSSF Malicious Packages via OSV confirms chai-as-precision@7.0.6 as malicious (MAL-2026-10219): Malicious code in chai-as-precision (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory