MAL-2026-10043

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-modified/MAL-2026-10043.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10043
Published
2026-07-09T15:34:58Z
Modified
2026-07-09T16:31:52.939217729Z
Summary
Malicious code in chai-as-modified (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ab841cd3ab01bfcd1257a214489b41f10e236779e236a0672642777160245a9e)

Package name is a 1-2 character variant of the widely-used chai-as-promised plugin. The exported function — the entry point users pass to chai.use(...) per the copied pino README — invokes a runBackgroundTask helper that spawns a detached node subprocess (detached: true, stdio: 'ignore', child.unref()) running a sibling ./lib/initializeCaller.js, then returns a no-op pass-through middleware. The detached, unref'd child is decoupled from the parent test runner and outlives it — an out-of-band execution channel that has no relationship to the advertised purpose of a chai assertion plugin. The lib/ directory ships a verbatim copy of unrelated pino source as decoy content, and the README is copied from pinojs/pino. In this specific tarball the referenced ./lib/initializeCaller.js file is not present, so the fork currently errors out, but the launcher stub, name-confusion vector, decoy content, and covert-execution mechanism are all in place; the missing payload is consistent with a staged release or intended delivery via a sibling/subsequent publish.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "ab841cd3ab01bfcd1257a214489b41f10e236779e236a0672642777160245a9e",
            "id": "IN-MAL-2026-009145",
            "modified_time": "2026-07-09T15:34:58Z",
            "versions": [
                "6.0.4"
            ],
            "import_time": "2026-07-09T16:20:45.342198505Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / chai-as-modified

Package

Affected ranges

Affected versions

6.*
6.0.4

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "0f318545b5f21259126d98c4f6b4a5263cdf9437331b76b1cded93952bce2080032bc7",
            "sha256": "1f51184c197102444a2c8a23e4a8e54a6479750420512922fcb5d5f795c33911",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "chai-as-modified-6.0.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-pZVE0B3+ZBcBLup07BG7RtfwDOw+T+zeX7zXpYyxXgdxdBq1ETOCqI6rLe1AcMLV2A47dL8QbsNv2/B4OfClmA==",
                "sha1": "55ab6b27cdb0e54c6a6546298dbed06e77f46c34"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-modified/MAL-2026-10043.json"