Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10045: Malicious code in chai-as-sharpened (npm)

0
Critical
Published: 07/09/2026 (07/09/2026, 15:31:55 UTC)
Source: GCVE Database
Product: chai-as-sharpened

Description

The npm package 'chai-as-sharpened' version 7.0.9 contains malicious code that triggers unconditional remote code execution (RCE) upon import. It spawns a detached Node.js process that fetches and executes a remote payload with full require access, enabling arbitrary code execution on the host. The package uses name confusion by mimicking legitimate libraries to deceive users. No patch or remediation is currently documented.

Affected software

npmghsa
chai-as-sharpened
Affected versions
=7.0.9

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/10/2026, 10:21:31 UTC

Technical Analysis

The 'chai-as-sharpened' npm package (version 7.0.9) is a malicious package that, when required, spawns a detached background Node.js process executing 'lib/initializeCaller.js'. This script base64-decodes a hardcoded URL to fetch JSON data containing a 'cookie' field, which is executed via 'new Function.constructor' with full 'require' access, allowing arbitrary code execution on the host system. The package obfuscates its command and control (C2) endpoint and request headers using base64-encoded strings decoded at runtime. It impersonates legitimate libraries such as 'chai-as-promised' and 'pino' to trick users into installing it. This behavior results in unconditional remote code execution against any consumer of the package.

Potential Impact

Any system that installs or requires 'chai-as-sharpened' version 7.0.9 is subject to unconditional remote code execution, allowing an attacker to run arbitrary code with the privileges of the user running the Node.js process. This can lead to full system compromise, data theft, or further malware deployment. The malicious package uses obfuscation and name confusion to increase the likelihood of successful exploitation.

Mitigation Recommendations

No official patch or remediation is currently documented for this malicious package. Users should avoid installing or using 'chai-as-sharpened' version 7.0.9. Verify package authenticity before installation and prefer official, well-known packages. Remove any instances of this package from projects and dependency trees. Monitor for suspicious detached Node.js processes spawned during package installation or runtime.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10045
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a50bac068715ace43587747

Added to database: 07/10/2026, 09:26:24 UTC

Last enriched: 07/10/2026, 10:21:31 UTC

Last updated: 07/10/2026, 11:05:24 UTC

Views: 4

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses