MAL-2026-10406: Malicious code in async-chain-dom (npm)
The async-chain-dom npm package version 1.3.5 contains malicious code that executes arbitrary JavaScript fetched from a remote attacker-controlled server. Upon requiring the package, it spawns a detached child Node.js process that continuously fetches and executes code from a mutable remote JSON endpoint. The package masquerades as the pino logger to deceive developers. This behavior allows persistent remote code execution within the Node.js environment of the consumer.
AI Analysis
Technical Summary
The async-chain-dom package (version 1.3.5) includes malicious functionality where requiring the package triggers spawning a detached, unreferenced child process running 'node lib/vcall.js'. This child process repeatedly fetches JavaScript code from a remote URL (https://api.jsonsilo.com/public/df71fd55-4f0c-4326-9b5b-a285e38023a5) controlled by an attacker. The fetched code is extracted from the '.model' field of the JSON response and executed dynamically using the Function constructor with 'require' passed in, enabling arbitrary code execution within the Node.js process. The detached and unref pattern allows this process to persist beyond the lifecycle of the parent process. The package attempts to disguise itself as the pino logger by mimicking its module exports and file structure, facilitating its inclusion by developers under false pretenses. The remote payload can be changed at any time, allowing the attacker to update the malicious code executed on victims' systems.
Potential Impact
This malicious package enables an attacker to achieve arbitrary code execution on any system that installs and requires async-chain-dom version 1.3.5. The persistent detached child process ensures the malicious code continues running independently of the parent process lifecycle. Because the remote payload is mutable, the attacker can modify the executed code at will, potentially escalating impact or changing attack behavior over time. This compromises the confidentiality, integrity, and availability of affected systems and may lead to further compromise or data theft.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should immediately remove async-chain-dom version 1.3.5 from their projects and dependency trees. Avoid installing or requiring this package. Verify your environment for any running detached Node.js processes spawned by this package and terminate them. Monitor for any unexpected network connections to api.jsonsilo.com or similar domains. Since no fix is confirmed, check vendor advisories or trusted sources for updates. Consider replacing this package with a verified, trusted alternative.
MAL-2026-10406: Malicious code in async-chain-dom (npm)
Description
The async-chain-dom npm package version 1.3.5 contains malicious code that executes arbitrary JavaScript fetched from a remote attacker-controlled server. Upon requiring the package, it spawns a detached child Node.js process that continuously fetches and executes code from a mutable remote JSON endpoint. The package masquerades as the pino logger to deceive developers. This behavior allows persistent remote code execution within the Node.js environment of the consumer.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The async-chain-dom package (version 1.3.5) includes malicious functionality where requiring the package triggers spawning a detached, unreferenced child process running 'node lib/vcall.js'. This child process repeatedly fetches JavaScript code from a remote URL (https://api.jsonsilo.com/public/df71fd55-4f0c-4326-9b5b-a285e38023a5) controlled by an attacker. The fetched code is extracted from the '.model' field of the JSON response and executed dynamically using the Function constructor with 'require' passed in, enabling arbitrary code execution within the Node.js process. The detached and unref pattern allows this process to persist beyond the lifecycle of the parent process. The package attempts to disguise itself as the pino logger by mimicking its module exports and file structure, facilitating its inclusion by developers under false pretenses. The remote payload can be changed at any time, allowing the attacker to update the malicious code executed on victims' systems.
Potential Impact
This malicious package enables an attacker to achieve arbitrary code execution on any system that installs and requires async-chain-dom version 1.3.5. The persistent detached child process ensures the malicious code continues running independently of the parent process lifecycle. Because the remote payload is mutable, the attacker can modify the executed code at will, potentially escalating impact or changing attack behavior over time. This compromises the confidentiality, integrity, and availability of affected systems and may lead to further compromise or data theft.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should immediately remove async-chain-dom version 1.3.5 from their projects and dependency trees. Avoid installing or requiring this package. Verify your environment for any running detached Node.js processes spawned by this package and terminate them. Monitor for any unexpected network connections to api.jsonsilo.com or similar domains. Since no fix is confirmed, check vendor advisories or trusted sources for updates. Consider replacing this package with a verified, trusted alternative.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10406
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a54ada068715ace438f3deb
Added to database: 07/13/2026, 09:19:28 UTC
Last enriched: 07/13/2026, 09:27:37 UTC
Last updated: 07/13/2026, 09:27:37 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.