MAL-2026-10056: Malicious code in chain-chai-await (npm)
The npm package 'chain-chai-await' versions 1.3.5, 1.3.6, and 1.3.7 is a malicious dropper disguised as a pino-compatible logging library. It mimics the file structure of the legitimate pino package but contains code that spawns a detached Node subprocess which fetches and executes remote code from a public JSON paste service. This results in arbitrary remote code execution within the consumer's Node process with full access to require, enabling potentially complete compromise. There is no vendor advisory or patch information available for this threat.
AI Analysis
Technical Summary
The 'chain-chai-await' npm package impersonates the pino logging library by mirroring its file layout and exports but is unrelated to the genuine package. When used, it spawns a detached Node subprocess that performs an HTTP GET request to a public JSON paste URL to retrieve a 'cookie' field containing JavaScript code. This code is executed dynamically using the Function constructor with access to Node's require function, allowing arbitrary remote code execution in the context of the consumer's process. The package includes obfuscated backup URLs and header keys to maintain persistence and evade detection. This behavior identifies it as a malicious dropper disguised as a logging library. The affected versions are exactly 1.3.5, 1.3.6, and 1.3.7. No official patch or remediation guidance is currently available.
Potential Impact
Exploitation of this malicious package leads to arbitrary remote code execution within the Node.js process of any consumer that installs and uses it. This grants an attacker full access to the require function, enabling loading of any module and execution of arbitrary code with the privileges of the Node process. This can result in complete system compromise, data theft, or further malware deployment.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix or removal is confirmed, users should immediately remove the 'chain-chai-await' package versions 1.3.5, 1.3.6, and 1.3.7 from their projects and replace it with a verified legitimate logging library. Avoid installing packages from untrusted sources and verify package authenticity before use.
MAL-2026-10056: Malicious code in chain-chai-await (npm)
Description
The npm package 'chain-chai-await' versions 1.3.5, 1.3.6, and 1.3.7 is a malicious dropper disguised as a pino-compatible logging library. It mimics the file structure of the legitimate pino package but contains code that spawns a detached Node subprocess which fetches and executes remote code from a public JSON paste service. This results in arbitrary remote code execution within the consumer's Node process with full access to require, enabling potentially complete compromise. There is no vendor advisory or patch information available for this threat.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'chain-chai-await' npm package impersonates the pino logging library by mirroring its file layout and exports but is unrelated to the genuine package. When used, it spawns a detached Node subprocess that performs an HTTP GET request to a public JSON paste URL to retrieve a 'cookie' field containing JavaScript code. This code is executed dynamically using the Function constructor with access to Node's require function, allowing arbitrary remote code execution in the context of the consumer's process. The package includes obfuscated backup URLs and header keys to maintain persistence and evade detection. This behavior identifies it as a malicious dropper disguised as a logging library. The affected versions are exactly 1.3.5, 1.3.6, and 1.3.7. No official patch or remediation guidance is currently available.
Potential Impact
Exploitation of this malicious package leads to arbitrary remote code execution within the Node.js process of any consumer that installs and uses it. This grants an attacker full access to the require function, enabling loading of any module and execution of arbitrary code with the privileges of the Node process. This can result in complete system compromise, data theft, or further malware deployment.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix or removal is confirmed, users should immediately remove the 'chain-chai-await' package versions 1.3.5, 1.3.6, and 1.3.7 from their projects and replace it with a verified legitimate logging library. Avoid installing packages from untrusted sources and verify package authenticity before use.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10056
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a50ba9768715ace435825d9
Added to database: 07/10/2026, 09:25:43 UTC
Last enriched: 07/10/2026, 10:11:26 UTC
Last updated: 07/10/2026, 10:11:26 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.