Supply-chain threat intelligence
Risk score
92
Indexed incident for chai-as-doc (npm).
The package presents itself as pino-style logging middleware but on require() spawns a detached Node child that runs lib/initializeCaller.js. That script base64-decodes a hardcoded URL (stored as a fake DEV_API_KEY constant) resolving to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df, POSTs the entire process.env object to it with an x-secret-header, and then passes the HTTP response body to new Function("require", response.data) and invokes it with the local require. This gives the remote host arbitrary code execution inside the installer's Node process with full environment/credential access. The base64 obfuscation of the endpoint, the disguised middleware cover story, and the name resembling chai/chai-as-promised are consistent with a typosquat supply-chain attack.
Affected versions
Indicators
Timeline