OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10049 confirms this npm version as malicious. The package impersonates a pino-style logger API but its exported middleware spawns a detached Node child process that runs lib/caller.js. caller.js retrieves a JavaScript payload from https://jsonkeeper.com/b/BPB86 (an anonymous paste-style host) and executes it in-process via `new Function.constructor('require', s)(require)`, granting the remote host arbitrary code execution with the installer's Node privileges...
Advisory
MAL-2026-10049
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chai-await-dom (npm)
Details
The package impersonates a pino-style logger API but its exported middleware spawns a detached Node child process that runs lib/caller.js. caller.js retrieves a JavaScript payload from https://jsonkeeper.com/b/BPB86 (an anonymous paste-style host) and executes it in-process via `new Function.constructor('require', s)(require)`, granting the remote host arbitrary code execution with the installer's Node privileges. lib/const.js stores a base64-encoded sibling URL (https://jsonkeeper.com/b/ZK45J decoded from `aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1pLNDVK`), deliberately obfuscating the C2 destination. The package name (chai-await-dom) does not match its actual behavior or its impersonated logger API surface, consistent with a namespace-abuse lure carrying a remote-code-execution payload.
Decision reason
One or more suspicious static signals were detected.
References
Decision evidence
public snapshotBehavioral surface
ChildProcessEnvironmentVarsNetwork
HighEntropyStringsUrlStrings
Source & flagged code
1 flagged · loading sourcedocs/transports.mdView file
550patternName = generic_password
severity = medium
line = 550
matchedText = password...rd',
Medium
Findings
1 High3 Medium3 Low
HighEval
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings