Which versions of chai-as-patch are malicious?

The following npm versions of chai-as-patch are flagged malicious: 1.1.9. Treat any of these as compromised.

How do I remediate chai-as-patch if I installed it?

chai-as-patch establishes remote access, so treat any host that installed it as fully compromised. Isolate the machine, remove the package, rotate all credentials it could reach, and rebuild from a trusted image rather than cleaning in place — a backdoor may have planted additional persistence.

I already installed chai-as-patch — how do I know if it already compromised me?

If chai-as-patch was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is chai-as-patch part of a known attack campaign?

Yes — chai-as-patch is associated with the IN-MAL-2026-004613 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find chai-as-patch across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for chai-as-patch (version 1.1.9). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging chai-as-patch across your stack and pipelines.

Malicious package

chai-as-patchnpm

Malicious code in chai-as-patch (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4511

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall chai-as-patch

What this malware does

This package is a typosquat of chai-as-promised that delivers remote code execution to any installer that requires it and invokes the exported middleware. index.js spawns a detached, stdio-ignored child process running lib/caller.js. caller.js fetches https://jsonkeeper.com/b/XRGF3 (a free anonymous JSON paste host) via axios, extracts the .cookie field from the response, and passes it into new Function.constructor('require', s), then invokes the resulting function with the real require — giving the paste host's controller arbitrary code execution in the consumer's Node process. The C2 URL is base64-encoded and hidden inside a fake process.env-shaped object (DEV_API_KEY: "aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1hSR0Yz"); a second encoded paste ID (4NAKK) is stored in lib/const.js. The package metadata further obfuscates intent: name mimics chai-as-promised, description claims to be a vulnerability manager, keywords are pino-related, and the bug tracker points at an unrelated domain. The detached+unref'd subprocess pattern is intended to hide the loader from the calling process. Multiple independent block signals are present: anonymous-host remote-code fetch with no integrity check, dynamic Function-constructor execution of attacker-controlled bytes, base64-concealed C2, hidden detached subprocess delivery, and typosquat naming.

Malicious versions

1 flagged

1.1.9

Indicators of compromise (SHA-256)

c0f6b316992ec48b2d29d234f9debebcf239653a2371d54ab9f6e487c4fdba7b

Detection & response playbook

Backdoor / remote access

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for chai-as-patch (version 1.1.9). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging chai-as-patch across your stack and pipelines.
If you installed it — respond
chai-as-patch establishes remote access, so treat any host that installed it as fully compromised. Isolate the machine, remove the package, rotate all credentials it could reach, and rebuild from a trusted image rather than cleaning in place — a backdoor may have planted additional persistence.
Did it already run?
If chai-as-patch was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks chai-as-patch before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. chai-as-patch on npm has been identified as a malicious package (version 1.1.9 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004613

References

npmjs.com

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks chai-as-patch-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the C2 callback and severs the channel.

Malware detection Runtime egress monitoring