-= Per source details. Do not edit below this line.=-
On require('chai-deflect'), index.js top-level invokes launchDeflectBootstrap() which detaches a child process running lib/caller.js. caller.js issues an HTTP GET to http://server-genimi-check.vercel.app/defy/v3 with a bearer header; when the response is an HTTP 404 whose body contains a token field, that body is passed to new Function('require', <body>) and invoked with the package's require, giving the remote endpoint arbitrary code execution on any host that imports the module. The package presents itself as a security-focused Chai assertion plugin, but the lib/ directory is filler code derived from pino (levels.js, multistream.js, proto.js, transport.js, worker.js) unrelated to Chai, and lib/const.js hides a base64-encoded secondary URL (https://jsonkeeper.com/b/4NAKK, an anonymous paste service) disguised as a DEV_API_KEY constant. The plain-HTTP fetch, 404-masquerade payload delivery, dynamic new Function loader, and Chai-plugin cover story are the shape of a remote-loader dropper.
{
"malicious-packages-origins": [
{
"versions": [
"1.1.5"
],
"id": "IN-MAL-2026-009126",
"import_time": "2026-07-09T16:20:43.240070159Z",
"modified_time": "2026-07-09T15:32:06Z",
"sha256": "4328eb627063ce40813ae27e3cb7ec1a967d17aa6c2bf045f0083d42e09352ea",
"source": "amazon-inspector"
},
{
"sha256": "9e97dd2b28340abd67d519289e048ae78c5bf62009a0c9078675979eb90f994c",
"id": "IN-MAL-2026-009137",
"modified_time": "2026-07-09T15:33:41Z",
"versions": [
"1.1.6"
],
"import_time": "2026-07-09T16:20:44.48151509Z",
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "e833ee2e2282c22142369f8bf5ea57acf8a971bdb498c8f477ec9cf4cffe4e04",
"tlsh": "3111d0753cf5216a0122a8ee970b98163419e5132959d5913fcc43c11f6645d45f7bcc",
"path": "lib/caller.js"
},
{
"sha256": "d10853dde92fdc48d8cb5505d89e0030fd35e1416a16a820fe5ec4aceef01c4f",
"tlsh": "b9c08c8351f0684b04301bb3a50ca991f2a1d26f0884160231f564844b396a92848fb7",
"path": "lib/const.js"
},
{
"sha256": "a8efd25649cdd092f2d2c9d7d2974ddc557eb9ea6c7ec88b3054dbb96417d09a",
"tlsh": "32014764c93c9d7305ea22a144694157a1629e0b8848fc0d33ea412ccf9c9af50fea6e",
"path": "package.json"
}
],
"package_integrity": [
{
"filename": "chai-deflect-1.1.5.tgz",
"hashes": {
"sha512_sri": "sha512-mcAFg5MJeS96pd62+Zz9lqFs4T72yneoRvhHilX4n3dC5Fn/XoK5vS0439srqBlix6Au8fQjULQ3IceAUJXRaA==",
"sha1": "4b709396e979bae3385f57a7170f226b9e1075a9"
}
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-deflect/MAL-2026-10051.json"