MAL-2026-10045: Malicious code in chai-as-sharpened (npm)
The npm package 'chai-as-sharpened' version 7.0.9 contains malicious code that triggers unconditional remote code execution (RCE) upon import. It spawns a detached Node.js process that fetches and executes a remote payload with full require access, enabling arbitrary code execution on the host. The package uses name confusion by mimicking legitimate libraries to deceive users. No patch or remediation is currently documented.
AI Analysis
Technical Summary
The 'chai-as-sharpened' npm package (version 7.0.9) is a malicious package that, when required, spawns a detached background Node.js process executing 'lib/initializeCaller.js'. This script base64-decodes a hardcoded URL to fetch JSON data containing a 'cookie' field, which is executed via 'new Function.constructor' with full 'require' access, allowing arbitrary code execution on the host system. The package obfuscates its command and control (C2) endpoint and request headers using base64-encoded strings decoded at runtime. It impersonates legitimate libraries such as 'chai-as-promised' and 'pino' to trick users into installing it. This behavior results in unconditional remote code execution against any consumer of the package.
Potential Impact
Any system that installs or requires 'chai-as-sharpened' version 7.0.9 is subject to unconditional remote code execution, allowing an attacker to run arbitrary code with the privileges of the user running the Node.js process. This can lead to full system compromise, data theft, or further malware deployment. The malicious package uses obfuscation and name confusion to increase the likelihood of successful exploitation.
Mitigation Recommendations
No official patch or remediation is currently documented for this malicious package. Users should avoid installing or using 'chai-as-sharpened' version 7.0.9. Verify package authenticity before installation and prefer official, well-known packages. Remove any instances of this package from projects and dependency trees. Monitor for suspicious detached Node.js processes spawned during package installation or runtime.
MAL-2026-10045: Malicious code in chai-as-sharpened (npm)
Description
The npm package 'chai-as-sharpened' version 7.0.9 contains malicious code that triggers unconditional remote code execution (RCE) upon import. It spawns a detached Node.js process that fetches and executes a remote payload with full require access, enabling arbitrary code execution on the host. The package uses name confusion by mimicking legitimate libraries to deceive users. No patch or remediation is currently documented.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'chai-as-sharpened' npm package (version 7.0.9) is a malicious package that, when required, spawns a detached background Node.js process executing 'lib/initializeCaller.js'. This script base64-decodes a hardcoded URL to fetch JSON data containing a 'cookie' field, which is executed via 'new Function.constructor' with full 'require' access, allowing arbitrary code execution on the host system. The package obfuscates its command and control (C2) endpoint and request headers using base64-encoded strings decoded at runtime. It impersonates legitimate libraries such as 'chai-as-promised' and 'pino' to trick users into installing it. This behavior results in unconditional remote code execution against any consumer of the package.
Potential Impact
Any system that installs or requires 'chai-as-sharpened' version 7.0.9 is subject to unconditional remote code execution, allowing an attacker to run arbitrary code with the privileges of the user running the Node.js process. This can lead to full system compromise, data theft, or further malware deployment. The malicious package uses obfuscation and name confusion to increase the likelihood of successful exploitation.
Mitigation Recommendations
No official patch or remediation is currently documented for this malicious package. Users should avoid installing or using 'chai-as-sharpened' version 7.0.9. Verify package authenticity before installation and prefer official, well-known packages. Remove any instances of this package from projects and dependency trees. Monitor for suspicious detached Node.js processes spawned during package installation or runtime.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10045
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a50bac068715ace43587747
Added to database: 07/10/2026, 09:26:24 UTC
Last enriched: 07/10/2026, 10:21:31 UTC
Last updated: 07/10/2026, 11:05:24 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.