MAL-2026-10202: Malicious code in chain-await-dom (npm)
The npm package 'chain-await-dom' version 1.3.4 contains malicious code that executes arbitrary remote JavaScript code with full Node.js privileges. The package exports a factory function that spawns a detached child process which fetches and executes code from remote endpoints, enabling remote code execution. The package also mimics the API of a legitimate logger to disguise its malicious behavior. Any project requiring this package triggers this execution, posing a severe security risk.
AI Analysis
Technical Summary
The 'chain-await-dom' npm package version 1.3.4 exports a factory function 'check()' that spawns a detached, unreferenced Node.js child process running 'lib/vcall.js'. This child process fetches JavaScript code from a mutable remote JSON storage endpoint and executes it using 'new Function.constructor', allowing arbitrary remote code execution. The package also stores a base64-encoded secondary endpoint used as a fallback for remote code execution. It re-exports the factory as 'module.exports.pino' to mimic the 'pino' logger API, misleading users about its true functionality. The malicious child process persists beyond the parent process, increasing the risk of unnoticed exploitation. The package name and README falsely describe unrelated functionality, further obscuring the threat.
Potential Impact
Any application that installs and requires 'chain-await-dom' version 1.3.4 is vulnerable to arbitrary remote code execution with full privileges of the Node.js process. This can lead to complete system compromise, data theft, or further malware deployment. The malicious child process runs detached and unreferenced, making detection and termination difficult. There are no known exploits in the wild reported yet, but the potential impact is critical.
Mitigation Recommendations
No official patch or remediation is currently available for this malicious package. Users should immediately remove 'chain-await-dom' version 1.3.4 from their dependencies and avoid installing or requiring this package. Verify your dependency tree for indirect inclusion of this package and replace it with trusted alternatives. Monitor for any unexpected child processes spawned by Node.js applications and audit systems for signs of compromise. Patch status is not yet confirmed — check vendor advisories or trusted security sources for updates.
MAL-2026-10202: Malicious code in chain-await-dom (npm)
Description
The npm package 'chain-await-dom' version 1.3.4 contains malicious code that executes arbitrary remote JavaScript code with full Node.js privileges. The package exports a factory function that spawns a detached child process which fetches and executes code from remote endpoints, enabling remote code execution. The package also mimics the API of a legitimate logger to disguise its malicious behavior. Any project requiring this package triggers this execution, posing a severe security risk.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'chain-await-dom' npm package version 1.3.4 exports a factory function 'check()' that spawns a detached, unreferenced Node.js child process running 'lib/vcall.js'. This child process fetches JavaScript code from a mutable remote JSON storage endpoint and executes it using 'new Function.constructor', allowing arbitrary remote code execution. The package also stores a base64-encoded secondary endpoint used as a fallback for remote code execution. It re-exports the factory as 'module.exports.pino' to mimic the 'pino' logger API, misleading users about its true functionality. The malicious child process persists beyond the parent process, increasing the risk of unnoticed exploitation. The package name and README falsely describe unrelated functionality, further obscuring the threat.
Potential Impact
Any application that installs and requires 'chain-await-dom' version 1.3.4 is vulnerable to arbitrary remote code execution with full privileges of the Node.js process. This can lead to complete system compromise, data theft, or further malware deployment. The malicious child process runs detached and unreferenced, making detection and termination difficult. There are no known exploits in the wild reported yet, but the potential impact is critical.
Mitigation Recommendations
No official patch or remediation is currently available for this malicious package. Users should immediately remove 'chain-await-dom' version 1.3.4 from their dependencies and avoid installing or requiring this package. Verify your dependency tree for indirect inclusion of this package and replace it with trusted alternatives. Monitor for any unexpected child processes spawned by Node.js applications and audit systems for signs of compromise. Patch status is not yet confirmed — check vendor advisories or trusted security sources for updates.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10202
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a54ae0768715ace438f8527
Added to database: 07/13/2026, 09:21:11 UTC
Last enriched: 07/13/2026, 09:58:32 UTC
Last updated: 07/13/2026, 09:58:32 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.