chain-await-domnpm
Malicious code in chain-await-dom (npm) Remove it immediately and rotate any exposed credentials.
What this malware does
The package's declared main entry index.js exports a factory check() that spawns a detached, unreferenced Node child process running lib/vcall.js, then returns a noop Express-shaped middleware as cover. lib/vcall.js fetches JavaScript from https://api.jsonsilo.com/public/c6c0b393-932f-4ae1-8fca-23c6747f4acc (a mutable JSON-storage endpoint) and executes the response body via new Function.constructor('require', src)(require), with up to 5 retries. lib/constants.js also stores a base64-encoded secondary endpoint DEV_API_KEY decoding to https://jsonkeeper.com/b/ZK45J, consistent with fallback/staged remote-execution infrastructure. The module additionally re-exports the factory as module.exports.pino = check, mimicking the pino logger API, while the package name (chain-await-dom) and README describe unrelated functionality. Any consumer that requires this package triggers arbitrary remote code execution with full Node privileges; the detached+unref child process persists beyond the parent.
Malicious versions
Indicators of compromise (SHA-256)
Detection & response playbook
TyposquatFind it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for chain-await-dom (version 1.3.4). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging chain-await-dom across your stack and pipelines.
If you installed it — respond
chain-await-dom is a typosquat — you almost certainly intended a legitimately-named package. Remove chain-await-dom, install the correct package, and rotate any secrets exposed during the install since post-install scripts may have already run.
Did it already run?
If chain-await-dom was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks chain-await-dom before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.
Frequently asked questions
Campaign
References
Credits
- Amazon Inspector · finder
Detect & block this
O3 blocks chain-await-dom-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.