MAL-2026-10504

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-verified/MAL-2026-10504.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10504
Published
2026-07-13T22:10:30Z
Modified
2026-07-13T22:31:56.856037858Z
Summary
Malicious code in chai-as-verified (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fece219fd09d83bc6a41135483cf3ce8cd2769c22e7776c22d0eb97d65852dd5)

Package name typosquats chai-as-promised while its package.json advertises unrelated logger/vulnerability-management metadata. On require, index.js invokes a middleware() that spawns a detached node child process running lib/initializeCaller.js with stdio ignored and unref()'d. That child decodes a base64-hidden URL (https://tomato-brunhilda-40.tiiny.site/index.json) from a shadowed process.env object, fetches the JS response with a base64-decoded header name x-secret-key, and executes it via new Function.constructor("require", response)(require), granting the remote payload full Node require access. The C2 URL, header name, and header value are stored as base64 to hide them from static analysis.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-13T22:10:30Z",
            "versions": [
                "7.1.5"
            ],
            "sha256": "fece219fd09d83bc6a41135483cf3ce8cd2769c22e7776c22d0eb97d65852dd5",
            "id": "IN-MAL-2026-010346",
            "source": "amazon-inspector",
            "import_time": "2026-07-13T22:21:57.465408608Z"
        }
    ]
}
References
Credits

Affected packages

npm / chai-as-verified

Package

Affected ranges

Affected versions

7.*
7.1.5

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "9511c08e61fc200c046512e6b62f18126021e8673d86d5e47acc835b1f9567f7d936df",
            "sha256": "23436f977c9bbe6d302f0f94e191b3dfd938e5a0417ec098d38b60b0ed0cb14f",
            "path": "lib/initializeCaller.js"
        },
        {
            "tlsh": "02019c60ce788e2304ed25825c2e064376618c135928fc1d32d7512c0fad5bf11bf21d",
            "sha256": "cf56691d128cbabaac3fba4c1f6d3d32b7292fdf79b8d3dfa827dd4ca9ac4653",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "b8b12a16da62f891f09f5356c4b41a67568ae83d",
                "sha512_sri": "sha512-V5esP/m2nkkYCfR/IMT9tWTylt5y2QLyJOA5ecS2R5Q7fOGmCQ1jK65UX9oihxXcGYetrtll6VReblwwaQ7f4Q=="
            },
            "filename": "chai-as-verified-7.1.5.tgz"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-verified/MAL-2026-10504.json"