MAL-2026-10049

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-await-dom/MAL-2026-10049.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10049
Published
2026-07-09T15:34:20Z
Modified
2026-07-09T16:31:53.656111936Z
Summary
Malicious code in chai-await-dom (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e78d8b4da2e781df4437569123ba3913c3f0135bbef66addaa5766a109fdd98b)

The package impersonates a pino-style logger API but its exported middleware spawns a detached Node child process that runs lib/caller.js. caller.js retrieves a JavaScript payload from https://jsonkeeper.com/b/BPB86 (an anonymous paste-style host) and executes it in-process via new Function.constructor('require', s)(require), granting the remote host arbitrary code execution with the installer's Node privileges. lib/const.js stores a base64-encoded sibling URL (https://jsonkeeper.com/b/ZK45J decoded from aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1pLNDVK), deliberately obfuscating the C2 destination. The package name (chai-await-dom) does not match its actual behavior or its impersonated logger API surface, consistent with a namespace-abuse lure carrying a remote-code-execution payload.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "e78d8b4da2e781df4437569123ba3913c3f0135bbef66addaa5766a109fdd98b",
            "id": "IN-MAL-2026-009141",
            "modified_time": "2026-07-09T15:34:20Z",
            "versions": [
                "1.3.7"
            ],
            "import_time": "2026-07-09T16:20:44.915106032Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / chai-await-dom

Package

Affected ranges

Affected versions

1.*
1.3.7

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "chai-await-dom-1.3.7.tgz",
            "hashes": {
                "sha512_sri": "sha512-wpBlzO6vV66F2F+Uhl6itDPaJLcUv0qU48G/eO9pwHf2PUcZIarVpCnWOtuxnJ8pZHDWsOStzxFSPr870KIr4w==",
                "sha1": "af909543f4befa2dbac1162b845d4c81add6d667"
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "0eb54b2e747503e5eb4ef23794f55bd236c66a580bfec44e8c227fc3d7b6c73a",
            "tlsh": "f601fe4e30fd201c42a120d55b1fa4327021e86b390ae4d5734cc7521fe656eae23fdd",
            "path": "lib/caller.js"
        },
        {
            "sha256": "9879ffb0bf61edef7e9b90ddc5fac9770c514c0cdecd9a07b15e8a677e6f8f74",
            "tlsh": "8ac08c8351e4a89704301773610ca995f2a1d26f0c840b0331f594844a396a93840fbb",
            "path": "lib/const.js"
        },
        {
            "tlsh": "30213f8175f111480658d9c8b569e5363ce3c4377207b9b0e9ecb7862bcf20c0272ad7",
            "sha256": "32e82853dd646aac388b78f868241267a5e6483d847df3d4c843f8100590d469",
            "path": "index.js"
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-await-dom/MAL-2026-10049.json"