MAL-2026-10052

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-promised-test/MAL-2026-10052.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10052
Published
2026-07-09T15:33:15Z
Modified
2026-07-09T16:31:54.252865485Z
Summary
Malicious code in chai-promised-test (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1ddaac3e93ed2e5d968816cf3153b2ab1878580bb9ee65ec3ec1acdca41dc018)

Package masquerades as a chai-as-promised plugin / pino logger (README and exports copied from pino, including module.exports.pino = middleware) but on use spawns a detached Node process running lib/caller.js, which fetches a string from https://jsonkeeper.com/b/EXSIF and executes it via new Function.constructor("require", s)(require). The fetched code runs with full Node privileges (require, fs, child_process, network). The C2 URL and request headers are concealed by shadowing the local process object with fields named DEV_API_KEY / DEV_SECRET_KEY / DEV_SECRET_VALUE, and lib/const.js carries base64-encoded equivalents that decode to a second jsonkeeper.com paste and the header name x-secret-key. The remote paste is mutable and attacker-controlled, allowing arbitrary code execution on the installer's machine. Identity confusion with chai-as-promised / pino indicates the package exists to be installed by mistake.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "1ddaac3e93ed2e5d968816cf3153b2ab1878580bb9ee65ec3ec1acdca41dc018",
            "id": "IN-MAL-2026-009134",
            "modified_time": "2026-07-09T15:33:15Z",
            "versions": [
                "1.3.5"
            ],
            "import_time": "2026-07-09T16:20:44.112262717Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / chai-promised-test

Package

Affected ranges

Affected versions

1.*
1.3.5

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "c94c68398967a72596733d62b40d3b2df9490056a3b25bfd96333d0a88d84624",
            "tlsh": "e701cb8f30fd101c019122e66b1fe4327010e85b390ae4d4374c87521ffa5aeaa53ede",
            "path": "lib/caller.js"
        },
        {
            "sha256": "32e82853dd646aac388b78f868241267a5e6483d847df3d4c843f8100590d469",
            "tlsh": "30213f8175f111480658d9c8b569e5363ce3c4377207b9b0e9ecb7862bcf20c0272ad7",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "chai-promised-test-1.3.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-Su0Hln3x1UFpaLSuH6y/aKdTWgzgBDn+xwqLc3no1XQPjC6bwyAdrXPWBTV+hSvwYc4HFKDXE8h/QsyTIzmMLQ==",
                "sha1": "950f0390e68be24c7b4ffd511d283266914568a5"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-promised-test/MAL-2026-10052.json"