registry  /  chai-await-dom  /  1.3.7

chai-await-dom@1.3.7

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10049 confirms this npm version as malicious. The package impersonates a pino-style logger API but its exported middleware spawns a detached Node child process that runs lib/caller.js. caller.js retrieves a JavaScript payload from https://jsonkeeper.com/b/BPB86 (an anonymous paste-style host) and executes it in-process via `new Function.constructor('require', s)(require)`, granting the remote host arbitrary code execution with the installer's Node privileges...

Advisory
MAL-2026-10049
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chai-await-dom (npm)
Details
The package impersonates a pino-style logger API but its exported middleware spawns a detached Node child process that runs lib/caller.js. caller.js retrieves a JavaScript payload from https://jsonkeeper.com/b/BPB86 (an anonymous paste-style host) and executes it in-process via `new Function.constructor('require', s)(require)`, granting the remote host arbitrary code execution with the installer's Node privileges. lib/const.js stores a base64-encoded sibling URL (https://jsonkeeper.com/b/ZK45J decoded from `aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1pLNDVK`), deliberately obfuscating the C2 destination. The package name (chai-await-dom) does not match its actual behavior or its impersonated logger API surface, consistent with a namespace-abuse lure carrying a remote-code-execution payload.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 52.5 KB of source, external domains: github.com, jsonkeeper.com

Source & flagged code

1 flagged · loading source
docs/transports.mdView file
550patternName = generic_password severity = medium line = 550 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in docs/transports.md

docs/transports.mdView on unpkg · L550

Findings

1 High3 Medium3 Low
HighEval
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings