MAL-2026-10175

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-doc/MAL-2026-10175.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10175
Published
2026-07-10T21:24:50Z
Modified
2026-07-10T21:31:48.961448218Z
Summary
Malicious code in chai-as-doc (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (cecfd3091225b3667317dd9da8fd56c4f5e7fc675e17d52cda601898b3a50ec2)

The package presents itself as pino-style logging middleware but on require() spawns a detached Node child that runs lib/initializeCaller.js. That script base64-decodes a hardcoded URL (stored as a fake DEVAPIKEY constant) resolving to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df, POSTs the entire process.env object to it with an x-secret-header, and then passes the HTTP response body to new Function("require", response.data) and invokes it with the local require. This gives the remote host arbitrary code execution inside the installer's Node process with full environment/credential access. The base64 obfuscation of the endpoint, the disguised middleware cover story, and the name resembling chai/chai-as-promised are consistent with a typosquat supply-chain attack.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "2.3.5"
            ],
            "id": "IN-MAL-2026-009714",
            "import_time": "2026-07-10T21:26:06.007803703Z",
            "modified_time": "2026-07-10T21:24:50Z",
            "sha256": "cecfd3091225b3667317dd9da8fd56c4f5e7fc675e17d52cda601898b3a50ec2",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / chai-as-doc

Package

Affected ranges

Affected versions

2.*
2.3.5

Database specific

indicators
{
    "evidence_files": [
        {
            "sha256": "fc61b0ed62e346bfbb5e1e093e475d8b3065247dc8d315f0ea4e7cafd9661bad",
            "tlsh": "f921f38e15fe101d066751e6bb2f24027022e8133946d4a47bcc835b1fc966e99936df",
            "path": "lib/initializeCaller.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "chai-as-doc-2.3.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-mn+k+zE6L5wdiEpurZCLNXuBEwiJdgozfMwqe+9pnoeS4HGjnMMCfFxT2HGKrXiAV13WCU9rANeJShKIXv4EhA==",
                "sha1": "2ff81e9aa495165d5a93b34d754ea5d4b50ea698"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-doc/MAL-2026-10175.json"