registry  /  chai-as-structured  /  7.0.5

chai-as-structured@7.0.5

OSV Malicious Advisory

scanned 3h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10622 confirms this npm version as malicious. The package name evokes chai-as-promised but the shipped code presents itself as pino middleware. When the middleware factory in index.js is invoked, it spawns a detached node child process running lib/initializeCaller.js. That script constructs a fake process.env stub whose DEV_API_KEY, DEV_SECRET_KEY, and DEV_SECRET_VALUE fields are base64 blobs that decode to a URL and request headers pointing at...

Advisory
MAL-2026-10622
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chai-as-structured (npm)
Details
The package name evokes chai-as-promised but the shipped code presents itself as pino middleware. When the middleware factory in index.js is invoked, it spawns a detached node child process running lib/initializeCaller.js. That script constructs a fake process.env stub whose DEV_API_KEY, DEV_SECRET_KEY, and DEV_SECRET_VALUE fields are base64 blobs that decode to a URL and request headers pointing at https://tomato-brunhilda-40.tiiny.site/index.json (an anonymous file-hosting host). The response's cookie field is passed to new Function.constructor('require', response) with the host's require handed in, giving the fetched string full Node privileges. The base64 concealment, misleading DEV_API_KEY naming, detached child launch, and typosquat-style package name are consistent with intentional supply-chain attack tradecraft rather than any legitimate loader.
Decision reason
OpenSSF Malicious Packages via OSV confirms chai-as-structured@7.0.5 as malicious (MAL-2026-10622): Malicious code in chai-as-structured (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory