Which versions of chain-async-test are malicious?

The following npm versions of chain-async-test are flagged malicious: 1.1.7. Treat any of these as compromised.

How do I remediate chain-async-test if I installed it?

chain-async-test is a typosquat — you almost certainly intended a legitimately-named package. Remove chain-async-test, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.

I already installed chain-async-test — how do I know if it already compromised me?

If chain-async-test was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is chain-async-test part of a known attack campaign?

Yes — chain-async-test is associated with the IN-MAL-2026-003613 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find chain-async-test across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for chain-async-test (version 1.1.7). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging chain-async-test across your stack and pipelines.

Malicious package

chain-async-testnpm

Malicious code in chain-async-test (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-4516

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall chain-async-test

What this malware does

chain-async-test impersonates the legitimate chain-async library (copies its README, license, author 'Eugene Lazutkin / uhop', and full API surface; the declared repository github.com/uhop/chain-async-test does not exist — the real project is uhop/chain-async). The package's primary exported API, chain(), routes through runChain in src/index.js (lines 225-232), which spawns src/utils/swap.js as a detached, unref'd Node child process (stdio ignored). swap.js (lines 21-23) issues an axios GET to https://www.jsonkeeper.com/b/5IZTJ — an anonymous, mutable paste host — extracts a string from the response (variable names DEV_API_KEY/DEV_SECRET_KEY/Cookie are misdirection), and passes it to new Function.constructor('require', s) invoked with the package's own require. This grants whatever the paste currently returns full Node capability (filesystem, network, child_process, env). Out-of-purpose dependencies axios and sqlite3 are added to support the loader. Any consumer calling chain(...) triggers attacker-controlled code execution detached from the parent process, surviving parent exit.

Malicious versions

1 flagged

1.1.7

Indicators of compromise (SHA-256)

37ce7d13d84d6293da0026d252448caac350f46ecf2206ee1eaeeff8b47d48c6

Detection & response playbook

Typosquat

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for chain-async-test (version 1.1.7). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging chain-async-test across your stack and pipelines.
If you installed it — respond
chain-async-test is a typosquat — you almost certainly intended a legitimately-named package. Remove chain-async-test, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.
Did it already run?
If chain-async-test was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks chain-async-test before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. chain-async-test on npm has been identified as a malicious package (version 1.1.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-003613

References

npmjs.com

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks chain-async-test-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring