MAL-2026-10052: Malicious code in chai-promised-test (npm)
The npm package 'chai-promised-test' version 1.3.5 is a malicious package masquerading as the legitimate 'chai-as-promised' plugin and 'pino' logger. Upon use, it spawns a detached Node.js process that fetches and executes attacker-controlled code from a remote URL with full Node.js privileges, enabling arbitrary code execution on the installer's machine. The package conceals its command-and-control communication by shadowing process object fields and encoding headers, making detection more difficult. This package is designed to be installed by mistake due to its similarity to popular packages.
AI Analysis
Technical Summary
The 'chai-promised-test' npm package version 1.3.5 impersonates legitimate packages by copying their README and exports. When used, it launches a detached Node.js process running 'lib/caller.js' which retrieves a string from a remote JSON paste service (jsonkeeper.com) and executes it using the Function constructor with full Node.js capabilities (including require, filesystem, child processes, and network access). The remote code is attacker-controlled and mutable, allowing arbitrary code execution on any system that installs this package. The package hides its command-and-control headers by overriding the local process object with fields such as DEV_API_KEY and DEV_SECRET_KEY, and stores base64-encoded equivalents in 'lib/const.js'. This identity confusion tactic aims to trick users into installing the malicious package accidentally.
Potential Impact
Arbitrary code execution on the installer's machine with full Node.js privileges, potentially leading to complete system compromise. The attacker can execute any code remotely by modifying the content fetched from the attacker's controlled URL. This poses a severe risk to any environment where this package is installed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until then, avoid installing or using the 'chai-promised-test' package version 1.3.5. Verify package authenticity carefully before installation, especially for packages with names similar to popular libraries. Remove the malicious package if already installed and audit systems for signs of compromise.
MAL-2026-10052: Malicious code in chai-promised-test (npm)
Description
The npm package 'chai-promised-test' version 1.3.5 is a malicious package masquerading as the legitimate 'chai-as-promised' plugin and 'pino' logger. Upon use, it spawns a detached Node.js process that fetches and executes attacker-controlled code from a remote URL with full Node.js privileges, enabling arbitrary code execution on the installer's machine. The package conceals its command-and-control communication by shadowing process object fields and encoding headers, making detection more difficult. This package is designed to be installed by mistake due to its similarity to popular packages.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'chai-promised-test' npm package version 1.3.5 impersonates legitimate packages by copying their README and exports. When used, it launches a detached Node.js process running 'lib/caller.js' which retrieves a string from a remote JSON paste service (jsonkeeper.com) and executes it using the Function constructor with full Node.js capabilities (including require, filesystem, child processes, and network access). The remote code is attacker-controlled and mutable, allowing arbitrary code execution on any system that installs this package. The package hides its command-and-control headers by overriding the local process object with fields such as DEV_API_KEY and DEV_SECRET_KEY, and stores base64-encoded equivalents in 'lib/const.js'. This identity confusion tactic aims to trick users into installing the malicious package accidentally.
Potential Impact
Arbitrary code execution on the installer's machine with full Node.js privileges, potentially leading to complete system compromise. The attacker can execute any code remotely by modifying the content fetched from the attacker's controlled URL. This poses a severe risk to any environment where this package is installed.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until then, avoid installing or using the 'chai-promised-test' package version 1.3.5. Verify package authenticity carefully before installation, especially for packages with names similar to popular libraries. Remove the malicious package if already installed and audit systems for signs of compromise.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10052
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a50bab068715ace4358592c
Added to database: 07/10/2026, 09:26:08 UTC
Last enriched: 07/10/2026, 10:18:58 UTC
Last updated: 07/10/2026, 10:18:58 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.