registry  /  chai-as-verified  /  7.1.5

chai-as-verified@7.1.5

This document describes the management of vulnerabilities for the project and all modules within the organization.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Calling the exported middleware starts a detached background process. That process retrieves attacker-controlled code and executes it locally.

Static reason
One or more suspicious static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
Runtime invocation of the package's exported middleware.
Impact
Remote code execution with the privileges of the consuming Node process.
Mechanism
Detached remote payload fetch followed by dynamic code execution.
Attack narrative
The exported middleware in `index.js` launches `lib/initializeCaller.js` as a detached, unref'd Node process. That script Base64-decodes `http://tomato-brunhilda-40.tiiny.site/index.json`, requests it with a decoded header, reads the response `cookie` property, and compiles and invokes it with `require`. The endpoint therefore controls arbitrary JavaScript executed on the consumer machine.
Rationale
Source establishes a concrete remote payload execution chain, not merely suspicious APIs. The absence of install hooks does not mitigate execution once the exported middleware is used.
Evidence
package.jsonindex.jslib/initializeCaller.jsfile.js
Network endpoints1
tomato-brunhilda-40.tiiny.site/index.json

OSV Corroboration

OpenSSF/OSV
Advisory
MAL-2026-10504
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chai-as-verified (npm)
Details
Package name typosquats chai-as-promised while its package.json advertises unrelated logger/vulnerability-management metadata. On require, index.js invokes a middleware() that spawns a detached `node` child process running lib/initializeCaller.js with stdio ignored and unref()'d. That child decodes a base64-hidden URL (https://tomato-brunhilda-40.tiiny.site/index.json) from a shadowed `process.env` object, fetches the JS response with a base64-decoded header name `x-secret-key`, and executes it via `new Function.constructor("require", response)(require)`, granting the remote payload full Node require access. The C2 URL, header name, and header value are stored as base64 to hide them from static analysis.

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js` exports middleware that spawns a detached Node child.
  • `lib/initializeCaller.js` decodes an obscured remote HTTP URL.
  • It fetches remote JSON and executes its `cookie` field via `Function`.
  • The child is detached and unref'd, hiding work from the caller.
Evidence against
  • `package.json` has no npm lifecycle hooks.
  • No local credential harvesting or AI-agent config mutation was found in inspected files.
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 52.9 KB of source, external domains: github.com

Source & flagged code

3 flagged · loading source
lib/initializeCaller.jsView file
2L3: const axios = require("axios"); L4: const process = { ... L12: (async function initializeCaller(..._args) { L13: const apiEndpoint = atob(process.env.DEV_API_KEY); L14: const apiHeaderKey = atob(process.env.DEV_SECRET_KEY);
High
Base64 Obscured Url

Source decodes a Base64-obscured HTTP endpoint at runtime.

lib/initializeCaller.jsView on unpkg · L2
index.jsView file
matchType = malicious_source_fingerprint_signature signature = 306e52008bef5331 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = chai-as-balanced@2.2.3 matchedPath = index.js matchedIdentity = npm:Y2hhaS1hcy1iYWxhbmNlZA:2.2.3 similarity = 1.000 shingleOverlap = 12 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg
docs/transports.mdView file
550patternName = generic_password severity = medium line = 550 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in docs/transports.md

docs/transports.mdView on unpkg · L550

Findings

3 High3 Medium3 Low
HighEval
HighBase64 Obscured Urllib/initializeCaller.js
HighKnown Malware Source Fingerprint Signatureindex.js
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings