MAL-2026-10622

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-structured/MAL-2026-10622.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10622
Published
2026-07-14T20:33:52Z
Modified
2026-07-14T21:04:39.901929690Z
Summary
Malicious code in chai-as-structured (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (9508b72d48575443d9e68f1da1ef6bdd1ebc9351f271fba56b563701f03e56e2)

The package name evokes chai-as-promised but the shipped code presents itself as pino middleware. When the middleware factory in index.js is invoked, it spawns a detached node child process running lib/initializeCaller.js. That script constructs a fake process.env stub whose DEVAPIKEY, DEVSECRETKEY, and DEVSECRETVALUE fields are base64 blobs that decode to a URL and request headers pointing at https://tomato-brunhilda-40.tiiny.site/index.json (an anonymous file-hosting host). The response's cookie field is passed to new Function.constructor('require', response) with the host's require handed in, giving the fetched string full Node privileges. The base64 concealment, misleading DEVAPIKEY naming, detached child launch, and typosquat-style package name are consistent with intentional supply-chain attack tradecraft rather than any legitimate loader.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010566",
            "import_time": "2026-07-14T20:52:50.281913203Z",
            "sha256": "9508b72d48575443d9e68f1da1ef6bdd1ebc9351f271fba56b563701f03e56e2",
            "versions": [
                "7.0.5"
            ],
            "modified_time": "2026-07-14T20:33:52Z"
        }
    ]
}
References
Credits

Affected packages

npm / chai-as-structured

Package

Affected ranges

Affected versions

7.*
7.0.5

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-structured/MAL-2026-10622.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "chai-as-structured-7.0.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-oUX8E4HDpgYCYuWmleESewDFZ+tXxErnur+H5e72ugidFOmnzwRa6aqR/dt/etnGVG+2KdiKYjVNxk38swDzfw==",
                "sha1": "569530bf7a6b2f5c548a6d59ebc9e18b870a47d6"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "lib/initializeCaller.js",
            "sha256": "23436f977c9bbe6d302f0f94e191b3dfd938e5a0417ec098d38b60b0ed0cb14f",
            "tlsh": "9511c08e61fc200c046512e6b62f18126021e8673d86d5e47acc835b1f9567f7d936df"
        },
        {
            "path": "index.js",
            "sha256": "1f51184c197102444a2c8a23e4a8e54a6479750420512922fcb5d5f795c33911",
            "tlsh": "0f318545b5f21259126d98c4f6b4a5263cdf9437331b76b1cded93952bce2080032bc7"
        }
    ]
}