MAL-2026-10044: Malicious code in chai-as-serialized (npm)
The npm package chai-as-serialized version 7.0.8 contains malicious code that executes arbitrary remote code in the consumer's Node.js process. It impersonates legitimate packages to lure installs and fetches a JSON payload from a remote server, which it executes with require access. This behavior enables a remote attacker to run arbitrary code within the context of the affected environment.
AI Analysis
Technical Summary
The malicious npm package chai-as-serialized (version 7.0.8) spawns a detached Node.js child process running a script that constructs a fake environment object with base64-encoded fields. These fields decode to a remote URL and a secret request header. The script fetches a JSON payload from the remote URL and executes it using the Function constructor with require access, allowing arbitrary code execution in the consumer's Node.js process. The package mimics legitimate packages to deceive users, and the base64 encoding of the command-and-control URL and secret header confirms hostile intent.
Potential Impact
This vulnerability allows remote attackers to execute arbitrary code within the Node.js process of any user who installs the affected package version. This can lead to full compromise of the environment where the package is installed, including data theft, system manipulation, or further malware deployment.
Mitigation Recommendations
No official patch or remediation is currently available. Users should immediately avoid installing or using chai-as-serialized version 7.0.8. Remove the package from existing environments and replace it with trusted alternatives. Monitor for any unexpected child processes or network connections to suspicious domains. Check vendor advisories or npm security advisories for updates on remediation.
MAL-2026-10044: Malicious code in chai-as-serialized (npm)
Description
The npm package chai-as-serialized version 7.0.8 contains malicious code that executes arbitrary remote code in the consumer's Node.js process. It impersonates legitimate packages to lure installs and fetches a JSON payload from a remote server, which it executes with require access. This behavior enables a remote attacker to run arbitrary code within the context of the affected environment.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The malicious npm package chai-as-serialized (version 7.0.8) spawns a detached Node.js child process running a script that constructs a fake environment object with base64-encoded fields. These fields decode to a remote URL and a secret request header. The script fetches a JSON payload from the remote URL and executes it using the Function constructor with require access, allowing arbitrary code execution in the consumer's Node.js process. The package mimics legitimate packages to deceive users, and the base64 encoding of the command-and-control URL and secret header confirms hostile intent.
Potential Impact
This vulnerability allows remote attackers to execute arbitrary code within the Node.js process of any user who installs the affected package version. This can lead to full compromise of the environment where the package is installed, including data theft, system manipulation, or further malware deployment.
Mitigation Recommendations
No official patch or remediation is currently available. Users should immediately avoid installing or using chai-as-serialized version 7.0.8. Remove the package from existing environments and replace it with trusted alternatives. Monitor for any unexpected child processes or network connections to suspicious domains. Check vendor advisories or npm security advisories for updates on remediation.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10044
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a50bab668715ace43585dca
Added to database: 07/10/2026, 09:26:14 UTC
Last enriched: 07/10/2026, 10:19:33 UTC
Last updated: 07/10/2026, 10:19:33 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.