Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10202: Malicious code in chain-await-dom (npm)

0
Critical
Published: 07/12/2026 (07/12/2026, 20:47:51 UTC)
Source: GCVE Database
Product: chain-await-dom

Description

The npm package 'chain-await-dom' version 1.3.4 contains malicious code that executes arbitrary remote JavaScript code with full Node.js privileges. The package exports a factory function that spawns a detached child process which fetches and executes code from remote endpoints, enabling remote code execution. The package also mimics the API of a legitimate logger to disguise its malicious behavior. Any project requiring this package triggers this execution, posing a severe security risk.

Affected software

npmghsa
chain-await-dom
Affected versions
=1.3.4

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/13/2026, 09:58:32 UTC

Technical Analysis

The 'chain-await-dom' npm package version 1.3.4 exports a factory function 'check()' that spawns a detached, unreferenced Node.js child process running 'lib/vcall.js'. This child process fetches JavaScript code from a mutable remote JSON storage endpoint and executes it using 'new Function.constructor', allowing arbitrary remote code execution. The package also stores a base64-encoded secondary endpoint used as a fallback for remote code execution. It re-exports the factory as 'module.exports.pino' to mimic the 'pino' logger API, misleading users about its true functionality. The malicious child process persists beyond the parent process, increasing the risk of unnoticed exploitation. The package name and README falsely describe unrelated functionality, further obscuring the threat.

Potential Impact

Any application that installs and requires 'chain-await-dom' version 1.3.4 is vulnerable to arbitrary remote code execution with full privileges of the Node.js process. This can lead to complete system compromise, data theft, or further malware deployment. The malicious child process runs detached and unreferenced, making detection and termination difficult. There are no known exploits in the wild reported yet, but the potential impact is critical.

Mitigation Recommendations

No official patch or remediation is currently available for this malicious package. Users should immediately remove 'chain-await-dom' version 1.3.4 from their dependencies and avoid installing or requiring this package. Verify your dependency tree for indirect inclusion of this package and replace it with trusted alternatives. Monitor for any unexpected child processes spawned by Node.js applications and audit systems for signs of compromise. Patch status is not yet confirmed — check vendor advisories or trusted security sources for updates.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10202
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a54ae0768715ace438f8527

Added to database: 07/13/2026, 09:21:11 UTC

Last enriched: 07/13/2026, 09:58:32 UTC

Last updated: 07/13/2026, 09:58:32 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses