Supply-chain threat intelligence
Risk score
92
Indexed incident for chain-await-dom (npm).
The package's declared main entry index.js exports a factory check() that spawns a detached, unreferenced Node child process running lib/vcall.js, then returns a noop Express-shaped middleware as cover. lib/vcall.js fetches JavaScript from https://api.jsonsilo.com/public/c6c0b393-932f-4ae1-8fca-23c6747f4acc (a mutable JSON-storage endpoint) and executes the response body via new Function.constructor('require', src)(require), with up to 5 retries. lib/constants.js also stores a base64-encoded secondary endpoint DEV_API_KEY decoding to https://jsonkeeper.com/b/ZK45J, consistent with fallback/staged remote-execution infrastructure. The module additionally re-exports the factory as module.exports.pino = check, mimicking the pino logger API, while the package name (chain-await-dom) and README describe unrelated functionality. Any consumer that requires this package triggers arbitrary remote code execution with full Node privileges; the detached+unref child process persists beyond the parent.
Affected versions
Indicators
Timeline