Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in chain-await-dom (npm)

chain-await-dom

Risk score

92

AI summary

Indexed incident for chain-await-dom (npm).

Description

The package's declared main entry index.js exports a factory check() that spawns a detached, unreferenced Node child process running lib/vcall.js, then returns a noop Express-shaped middleware as cover. lib/vcall.js fetches JavaScript from https://api.jsonsilo.com/public/c6c0b393-932f-4ae1-8fca-23c6747f4acc (a mutable JSON-storage endpoint) and executes the response body via new Function.constructor('require', src)(require), with up to 5 retries. lib/constants.js also stores a base64-encoded secondary endpoint DEV_API_KEY decoding to https://jsonkeeper.com/b/ZK45J, consistent with fallback/staged remote-execution infrastructure. The module additionally re-exports the factory as module.exports.pino = check, mimicking the pino logger API, while the package name (chain-await-dom) and README describe unrelated functionality. Any consumer that requires this package triggers arbitrary remote code execution with full Node privileges; the detached+unref child process persists beyond the parent.

Technical details

Affected versions

=1.3.4

Indicators

  • affected version=1.3.475%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents