MAL-2026-10408: Malicious code in chain-js-utils (npm)
The chain-js-utils npm package version 2.1.1 impersonates the legitimate pino package but contains malicious code. It exports a pino alias while actually running an Express middleware that spawns a detached child process executing remote JavaScript code fetched from an unauthenticated, mutable endpoint. This allows arbitrary code execution with full Node.js privileges in any application using this middleware. The malicious child process is detached and continues running independently, making detection difficult.
AI Analysis
Technical Summary
The chain-js-utils package (version 2.1.1) masquerades as the pino logging library by shipping pino's documentation and headers and exporting a pino alias. However, its runtime is an Express middleware factory that, upon invocation, spawns a detached child process running 'node lib/vcall.js'. This child process fetches JSON data from an unauthenticated and mutable remote URL (https://api.jsonsilo.com/public/94b14d9d-6286-4b13-a7fe-8442e55a31b4), extracts a 'model' field containing JavaScript source code, and executes it in-process with full Node.js privileges, including the ability to require modules. The middleware calls next() to appear benign, while the detached child process persists beyond the parent process lifecycle. The remote payload can be changed at any time, enabling silent arbitrary code execution in any application that uses this package.
Potential Impact
Any application that includes chain-js-utils version 2.1.1 and uses its middleware is at risk of silent remote code execution with full Node.js privileges. The attacker can execute arbitrary JavaScript code fetched from a remote, unauthenticated, and mutable endpoint, potentially leading to full system compromise, data theft, or further malicious activity. The detached child process design makes detection and termination difficult.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should immediately remove or replace the chain-js-utils package version 2.1.1 from their projects. Avoid using this package or any untrusted middleware that executes remote code. Monitor dependencies for malicious packages and verify package authenticity before use. Patch status is not yet confirmed — check the vendor advisory or trusted security sources for updates.
MAL-2026-10408: Malicious code in chain-js-utils (npm)
Description
The chain-js-utils npm package version 2.1.1 impersonates the legitimate pino package but contains malicious code. It exports a pino alias while actually running an Express middleware that spawns a detached child process executing remote JavaScript code fetched from an unauthenticated, mutable endpoint. This allows arbitrary code execution with full Node.js privileges in any application using this middleware. The malicious child process is detached and continues running independently, making detection difficult.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The chain-js-utils package (version 2.1.1) masquerades as the pino logging library by shipping pino's documentation and headers and exporting a pino alias. However, its runtime is an Express middleware factory that, upon invocation, spawns a detached child process running 'node lib/vcall.js'. This child process fetches JSON data from an unauthenticated and mutable remote URL (https://api.jsonsilo.com/public/94b14d9d-6286-4b13-a7fe-8442e55a31b4), extracts a 'model' field containing JavaScript source code, and executes it in-process with full Node.js privileges, including the ability to require modules. The middleware calls next() to appear benign, while the detached child process persists beyond the parent process lifecycle. The remote payload can be changed at any time, enabling silent arbitrary code execution in any application that uses this package.
Potential Impact
Any application that includes chain-js-utils version 2.1.1 and uses its middleware is at risk of silent remote code execution with full Node.js privileges. The attacker can execute arbitrary JavaScript code fetched from a remote, unauthenticated, and mutable endpoint, potentially leading to full system compromise, data theft, or further malicious activity. The detached child process design makes detection and termination difficult.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should immediately remove or replace the chain-js-utils package version 2.1.1 from their projects. Avoid using this package or any untrusted middleware that executes remote code. Monitor dependencies for malicious packages and verify package authenticity before use. Patch status is not yet confirmed — check the vendor advisory or trusted security sources for updates.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10408
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a54ada068715ace438f3dee
Added to database: 07/13/2026, 09:19:28 UTC
Last enriched: 07/13/2026, 09:27:51 UTC
Last updated: 07/14/2026, 03:02:18 UTC
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.