Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

chai-redirectionnpm

Malicious code in chai-redirection (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-6995
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall chai-redirection

What this malware does

chai-redirection presents itself as a chai assertion plugin but its main entry (index.js) unconditionally spawns a detached Node child process running lib/caller.js the moment the package is required. caller.js issues an HTTPS GET to https://www.jsonkeeper.com/b/PC5CK (a mutable pastebin-style host) and passes the response body's cookie field to new Function('require', res.data.cookie)(require), executing attacker-controlled JavaScript in the installer's Node process with full require access. A secondary code path builds a URL from lib/config values, and on a 404 response whose body carries a token field, constructs new Function.constructor('require', res.token) and invokes it with require — a second remote-code-execution channel. The advertised chai plugin API (validJWT, safeString, etc.) is a cover story: the loader runs before any exports are used, so merely requiring this package as a chai plugin triggers remote code execution. The mutable pastebin source means today's payload can be replaced with anything at any time without republishing the package.

Malicious versions

1 flagged
0.0.1

Indicators of compromise (SHA-256)

38236fbbdbbaa8f8ed9315c3a4ff01fbf049215896036b1cb68611681fe0eb00

Detection & response playbook

Credential / info stealer
  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for chai-redirection (version 0.0.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging chai-redirection across your stack and pipelines.

  2. If you installed it — respond

    chai-redirection is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

  3. Did it already run?

    If chai-redirection was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks chai-redirection before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. chai-redirection on npm has been identified as a malicious package (version 0.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-008158

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks chai-redirection-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.