registry  /  chain-chai-await  /  1.3.5

chain-chai-await@1.3.5

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10056 confirms this npm version as malicious. The package presents itself as a pino-compatible logger (exports `pino`, mirrors pino's lib/ layout with proto.js/redaction.js/transport.js/multistream.js/levels.js/time.js/symbols.js, and copies pino's defaultOptions shape) but has no relationship to the real pino package. When a consumer requires the package and invokes the exported middleware factory, index.js spawns lib/caller.js as a detached Node subprocess...

Advisory
MAL-2026-10056
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chain-chai-await (npm)
Details
The package presents itself as a pino-compatible logger (exports `pino`, mirrors pino's lib/ layout with proto.js/redaction.js/transport.js/multistream.js/levels.js/time.js/symbols.js, and copies pino's defaultOptions shape) but has no relationship to the real pino package. When a consumer requires the package and invokes the exported middleware factory, index.js spawns lib/caller.js as a detached Node subprocess. caller.js performs an axios GET to https://jsonkeeper.com/b/K80JD, reads the `cookie` field from the JSON response, and executes it via `new Function.constructor("require", s)(require)` — arbitrary remote code execution in the consumer's Node process with full access to `require`. The fetch is retried up to 5 times. lib/const.js additionally stores a base64-encoded backup endpoint (aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1pLNDVK → https://jsonkeeper.com/b/ZK45J) and base64-encoded header key/value (`x-secret-key`, `_`) used by the loader. The pino cover story, mirrored file layout, obfuscated backup URL, and remote-fetch-and-execute primitive against a public paste-like host are the fingerprint of a dropper disguised as a logging library.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsNetwork
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 52.5 KB of source, external domains: github.com, jsonkeeper.com

Source & flagged code

1 flagged · loading source
docs/transports.mdView file
550patternName = generic_password severity = medium line = 550 matchedText = password...rd',
Medium
Secret Pattern

Hardcoded password in docs/transports.md

docs/transports.mdView on unpkg · L550

Findings

1 High3 Medium3 Low
HighEval
MediumNetwork
MediumEnvironment Vars
MediumSecret Patterndocs/transports.md
LowScripts Present
LowHigh Entropy Strings
LowUrl Strings