MAL-2026-10049: Malicious code in chai-await-dom (npm)
The npm package chai-await-dom version 1.3.7 is a malicious package impersonating a pino-style logger API. It contains a middleware that spawns a detached Node.js child process executing a remote JavaScript payload fetched from an anonymous paste host. This payload execution occurs in-process with the installer's Node.js privileges, enabling arbitrary code execution. The package name and API surface are deceptive, designed to lure users into installing it. The command-and-control (C2) server URL is obfuscated using base64 encoding. No official patch or remediation guidance is provided.
AI Analysis
Technical Summary
The malicious npm package [email protected] impersonates a legitimate logger API but executes a remote JavaScript payload retrieved from an anonymous paste service. The payload is executed via dynamic function construction, granting the attacker arbitrary code execution with the privileges of the Node.js process running the package. The C2 server URL is obfuscated in base64 within the package code. This behavior is consistent with namespace abuse and supply chain compromise tactics. No CVSS score or vendor advisory is available, and no patch links are provided.
Potential Impact
Installation of chai-await-dom version 1.3.7 leads to remote code execution on the host system with the privileges of the Node.js process. This can allow attackers to execute arbitrary commands, potentially compromising the host environment and any connected systems or data accessible with those privileges.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix or removal guidance is available, users should avoid installing or using chai-await-dom version 1.3.7. Existing installations should be removed and replaced with trusted packages. Monitor for any updates from the package repository or security advisories regarding remediation.
MAL-2026-10049: Malicious code in chai-await-dom (npm)
Description
The npm package chai-await-dom version 1.3.7 is a malicious package impersonating a pino-style logger API. It contains a middleware that spawns a detached Node.js child process executing a remote JavaScript payload fetched from an anonymous paste host. This payload execution occurs in-process with the installer's Node.js privileges, enabling arbitrary code execution. The package name and API surface are deceptive, designed to lure users into installing it. The command-and-control (C2) server URL is obfuscated using base64 encoding. No official patch or remediation guidance is provided.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The malicious npm package [email protected] impersonates a legitimate logger API but executes a remote JavaScript payload retrieved from an anonymous paste service. The payload is executed via dynamic function construction, granting the attacker arbitrary code execution with the privileges of the Node.js process running the package. The C2 server URL is obfuscated in base64 within the package code. This behavior is consistent with namespace abuse and supply chain compromise tactics. No CVSS score or vendor advisory is available, and no patch links are provided.
Potential Impact
Installation of chai-await-dom version 1.3.7 leads to remote code execution on the host system with the privileges of the Node.js process. This can allow attackers to execute arbitrary commands, potentially compromising the host environment and any connected systems or data accessible with those privileges.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix or removal guidance is available, users should avoid installing or using chai-await-dom version 1.3.7. Existing installations should be removed and replaced with trusted packages. Monitor for any updates from the package repository or security advisories regarding remediation.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10049
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a50bab068715ace43585920
Added to database: 07/10/2026, 09:26:08 UTC
Last enriched: 07/10/2026, 10:18:25 UTC
Last updated: 07/10/2026, 10:18:25 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.