MAL-2026-10607

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-act/MAL-2026-10607.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10607
Published
2026-07-14T17:53:35Z
Modified
2026-07-14T18:49:31.133911730Z
Summary
Malicious code in chai-as-act (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bbf85a5e85f183a28cc32ff39ddcc68ef15b698cc62eccfaa89dd1bb80c709f6)

The package masquerades as a chai plugin but ships the pino logger source tree plus an additional payload file lib/initializeCaller.js. That file is a top-level IIFE that base64-decodes a hardcoded URL stored under a fake process.env.DEVAPIKEY literal (decoding to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df), POSTs the entire process.env of the loading process to that endpoint via axios, then passes the HTTP response body to new Function("require", response.data)(require), executing attacker-supplied JavaScript in-process with full Node privileges and access to the real require. Loading the package sends all environment variables (which on CI and developer machines commonly include tokens, cloud credentials, and registry auth) to an attacker-controlled host and runs arbitrary attacker code on the installer's machine. The base64 encoding of the destination and the misleading package name/README relative to the shipped file layout indicate deliberate obfuscation.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "bbf85a5e85f183a28cc32ff39ddcc68ef15b698cc62eccfaa89dd1bb80c709f6",
            "modified_time": "2026-07-14T17:53:35Z",
            "import_time": "2026-07-14T18:28:26.499403925Z",
            "id": "IN-MAL-2026-010531",
            "versions": [
                "1.0.2"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / chai-as-act

Package

Affected ranges

Affected versions

1.*
1.0.2

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-act/MAL-2026-10607.json"
cwes
[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "chai-as-act-1.0.2.tgz",
            "hashes": {
                "sha512_sri": "sha512-UPP8xI3ERWsvV5K6Wl4KbNzo1DAT1IasAQ2cHKrCn8Mu8l7jeh8zG4vhMer7F80wgyacdPEy0yz95S+XaIvQWg==",
                "sha1": "024e9d8e81ed805119ed18f093cd3953a135d371"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "lib/initializeCaller.js",
            "sha256": "fc61b0ed62e346bfbb5e1e093e475d8b3065247dc8d315f0ea4e7cafd9661bad",
            "tlsh": "f921f38e15fe101d066751e6bb2f24027022e8133946d4a47bcc835b1fc966e99936df"
        }
    ]
}