OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10052 confirms this npm version as malicious. Package masquerades as a chai-as-promised plugin / pino logger (README and exports copied from pino, including `module.exports.pino = middleware`) but on use spawns a detached Node process running lib/caller.js, which fetches a string from https://jsonkeeper.com/b/EXSIF and executes it via `new Function.constructor("require", s)(require)`...
Advisory
MAL-2026-10052
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chai-promised-test (npm)
Details
Package masquerades as a chai-as-promised plugin / pino logger (README and exports copied from pino, including `module.exports.pino = middleware`) but on use spawns a detached Node process running lib/caller.js, which fetches a string from https://jsonkeeper.com/b/EXSIF and executes it via `new Function.constructor("require", s)(require)`. The fetched code runs with full Node privileges (require, fs, child_process, network). The C2 URL and request headers are concealed by shadowing the local `process` object with fields named `DEV_API_KEY` / `DEV_SECRET_KEY` / `DEV_SECRET_VALUE`, and lib/const.js carries base64-encoded equivalents that decode to a second jsonkeeper.com paste and the header name `x-secret-key`. The remote paste is mutable and attacker-controlled, allowing arbitrary code execution on the installer's machine. Identity confusion with chai-as-promised / pino indicates the package exists to be installed by mistake.
Decision reason
OpenSSF Malicious Packages via OSV confirms chai-promised-test@1.3.5 as malicious (MAL-2026-10052): Malicious code in chai-promised-test (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory