registry  /  chai-as-thread  /  7.0.8

chai-as-thread@7.0.8

This document describes the management of vulnerabilities for the project and all modules within the organization.

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10048 confirms this npm version as malicious. On require, the package spawns a detached node child that runs lib/initializeCaller.js. That script decodes a base64-obscured URL (https://tomato-brunhilda-40.tiiny.site/index.json) and base64-obscured header credentials, fetches JSON from the endpoint via axios, and executes the returned `cookie` field with full `require` access using `new Function.constructor("require", response)(require)`...

Advisory
MAL-2026-10048
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chai-as-thread (npm)
Details
On require, the package spawns a detached node child that runs lib/initializeCaller.js. That script decodes a base64-obscured URL (https://tomato-brunhilda-40.tiiny.site/index.json) and base64-obscured header credentials, fetches JSON from the endpoint via axios, and executes the returned `cookie` field with full `require` access using `new Function.constructor("require", response)(require)`. The remote host is an anonymous tiiny.site subdomain that can serve arbitrary code at any time. The package name mimics `chai-as-promised` and the README impersonates the `pino` logger project, indicating a typosquat lure delivering a remote-code-execution dropper.
Decision reason
OpenSSF Malicious Packages via OSV confirms chai-as-thread@7.0.8 as malicious (MAL-2026-10048): Malicious code in chai-as-thread (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory