OSV Malicious Advisory
scanned 1h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10202 confirms this npm version as malicious. The package's declared main entry `index.js` exports a factory `check()` that spawns a detached, unreferenced Node child process running `lib/vcall.js`, then returns a noop Express-shaped middleware as cover. `lib/vcall.js` fetches JavaScript from `https://api.jsonsilo.com/public/c6c0b393-932f-4ae1-8fca-23c6747f4acc` (a mutable JSON-storage endpoint) and executes the response body via `new...
Advisory
MAL-2026-10202
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chain-await-dom (npm)
Details
The package's declared main entry `index.js` exports a factory `check()` that spawns a detached, unreferenced Node child process running `lib/vcall.js`, then returns a noop Express-shaped middleware as cover. `lib/vcall.js` fetches JavaScript from `https://api.jsonsilo.com/public/c6c0b393-932f-4ae1-8fca-23c6747f4acc` (a mutable JSON-storage endpoint) and executes the response body via `new Function.constructor('require', src)(require)`, with up to 5 retries. `lib/constants.js` also stores a base64-encoded secondary endpoint `DEV_API_KEY` decoding to `https://jsonkeeper.com/b/ZK45J`, consistent with fallback/staged remote-execution infrastructure. The module additionally re-exports the factory as `module.exports.pino = check`, mimicking the `pino` logger API, while the package name (`chain-await-dom`) and README describe unrelated functionality. Any consumer that requires this package triggers arbitrary remote code execution with full Node privileges; the detached+unref child process persists beyond the parent.
Decision reason
OpenSSF Malicious Packages via OSV confirms chain-await-dom@1.3.4 as malicious (MAL-2026-10202): Malicious code in chain-await-dom (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory