registry  /  chain-chai-await  /  1.3.7

chain-chai-await@1.3.7

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10056 confirms this npm version as malicious. The package presents itself as a pino-compatible logger (exports `pino`, mirrors pino's lib/ layout with proto.js/redaction.js/transport.js/multistream.js/levels.js/time.js/symbols.js, and copies pino's defaultOptions shape) but has no relationship to the real pino package. When a consumer requires the package and invokes the exported middleware factory, index.js spawns lib/caller.js as a detached Node subprocess...

Advisory
MAL-2026-10056
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chain-chai-await (npm)
Details
The package presents itself as a pino-compatible logger (exports `pino`, mirrors pino's lib/ layout with proto.js/redaction.js/transport.js/multistream.js/levels.js/time.js/symbols.js, and copies pino's defaultOptions shape) but has no relationship to the real pino package. When a consumer requires the package and invokes the exported middleware factory, index.js spawns lib/caller.js as a detached Node subprocess. caller.js performs an axios GET to https://jsonkeeper.com/b/K80JD, reads the `cookie` field from the JSON response, and executes it via `new Function.constructor("require", s)(require)` — arbitrary remote code execution in the consumer's Node process with full access to `require`. The fetch is retried up to 5 times. lib/const.js additionally stores a base64-encoded backup endpoint (aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1pLNDVK → https://jsonkeeper.com/b/ZK45J) and base64-encoded header key/value (`x-secret-key`, `_`) used by the loader. The pino cover story, mirrored file layout, obfuscated backup URL, and remote-fetch-and-execute primitive against a public paste-like host are the fingerprint of a dropper disguised as a logging library.
Decision reason
OpenSSF Malicious Packages via OSV confirms chain-chai-await@1.3.7 as malicious (MAL-2026-10056): Malicious code in chain-chai-await (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory