MAL-2026-10054

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-smart/MAL-2026-10054.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10054
Published
2026-07-09T15:31:31Z
Modified
2026-07-09T16:31:54.507970096Z
Summary
Malicious code in chai-smart (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (28e7b8eaee41f8a9717775967be05791e0daf3f5f3e5070ac28c6a2f544fcc02)

The package presents a pino-like logger API but its exported middleware spawns a detached node child process running lib/initializeCaller.js. That script base64-decodes a hardcoded URL (https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df) stored in a fake process.env object, POSTs the full process.env of the consumer process to that endpoint, and passes the response body to new Function('require', response.data) invoked with the package's require. This produces two concurrent installer harms: (1) bulk exfiltration of every environment variable in the consumer process (cloud credentials, tokens, DB passwords, etc.) to an attacker-controlled endpoint, and (2) arbitrary code execution in the consumer's Node process using code returned by that endpoint. Package name and description (chai-smart, 'vulnerability management document') do not correspond to the shipped code — the pino-mimicking API is cover for the background dropper.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "28e7b8eaee41f8a9717775967be05791e0daf3f5f3e5070ac28c6a2f544fcc02",
            "id": "IN-MAL-2026-009122",
            "import_time": "2026-07-09T16:20:42.788191053Z",
            "versions": [
                "2.3.5"
            ],
            "modified_time": "2026-07-09T15:31:31Z",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / chai-smart

Package

Affected ranges

Affected versions

2.*
2.3.5

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "fc61b0ed62e346bfbb5e1e093e475d8b3065247dc8d315f0ea4e7cafd9661bad",
            "tlsh": "f921f38e15fe101d066751e6bb2f24027022e8133946d4a47bcc835b1fc966e99936df",
            "path": "lib/initializeCaller.js"
        },
        {
            "tlsh": "0f318545b5f21259126d98c4f6b4a5263cdf9437331b76b1cded93952bce2080032bc7",
            "sha256": "1f51184c197102444a2c8a23e4a8e54a6479750420512922fcb5d5f795c33911",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "chai-smart-2.3.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-fAFsBFm2ygqwjeVftBro02nyDsagswQih4X+VYdF0BiLgoTr1C2TDFNZHqRAL357AbHctupTuSLEo5Edzdt24g==",
                "sha1": "87170c1699874b68f1befcadf75f7100e43c402c"
            }
        }
    ]
}
cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-smart/MAL-2026-10054.json"