OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10054 confirms this npm version as malicious. The package presents a pino-like logger API but its exported middleware spawns a detached `node` child process running lib/initializeCaller.js. That script base64-decodes a hardcoded URL (https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df) stored in a fake `process.env` object, POSTs the full `process.env` of the consumer process to that endpoint, and passes the response body to `new Function('require',...
Advisory
MAL-2026-10054
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chai-smart (npm)
Details
The package presents a pino-like logger API but its exported middleware spawns a detached `node` child process running lib/initializeCaller.js. That script base64-decodes a hardcoded URL (https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df) stored in a fake `process.env` object, POSTs the full `process.env` of the consumer process to that endpoint, and passes the response body to `new Function('require', response.data)` invoked with the package's `require`. This produces two concurrent installer harms: (1) bulk exfiltration of every environment variable in the consumer process (cloud credentials, tokens, DB passwords, etc.) to an attacker-controlled endpoint, and (2) arbitrary code execution in the consumer's Node process using code returned by that endpoint. Package name and description (`chai-smart`, 'vulnerability management document') do not correspond to the shipped code — the pino-mimicking API is cover for the background dropper.
Decision reason
OpenSSF Malicious Packages via OSV confirms chai-smart@2.3.5 as malicious (MAL-2026-10054): Malicious code in chai-smart (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory