MAL-2026-10630

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-byte/MAL-2026-10630.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10630
Published
2026-07-15T01:21:59Z
Modified
2026-07-15T05:19:47.445849616Z
Summary
Malicious code in chai-as-byte (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (a6820ba756fd8d2eb81435c478feb269e34f2aea859e42b42861d0a28f914a1f)

On require of the package's main entry, index.js detaches a child process that runs lib/initializeCaller.js. That script posts the caller's entire process.env to a base64-obfuscated URL (decoded destination: https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df) using axios, then passes the response body to new Function('require', response.data) and invokes it with the module require — giving the remote endpoint arbitrary code execution on the installer's host with full module access. The package name mimics the chai-as-* family while its metadata advertises a JSON logger, and neither role is implemented in the shipped code; the main entry silently spawns the exfil/RCE task instead of exposing any library API. The bulk-environment upload captures CI secrets, cloud tokens, and API keys that live in process.env in typical build environments.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-15T01:21:59Z",
            "source": "amazon-inspector",
            "import_time": "2026-07-15T01:37:35.209111713Z",
            "versions": [
                "3.1.5"
            ],
            "id": "IN-MAL-2026-010594",
            "sha256": "a6820ba756fd8d2eb81435c478feb269e34f2aea859e42b42861d0a28f914a1f"
        },
        {
            "modified_time": "2026-07-15T02:52:15Z",
            "source": "amazon-inspector",
            "import_time": "2026-07-15T03:07:36.015467239Z",
            "versions": [
                "3.1.6"
            ],
            "id": "IN-MAL-2026-010595",
            "sha256": "a822ae725d0887baa11e83624e59f504c11659322a343230ac0cb66c8d5f5c4b"
        }
    ]
}
References
Credits

Affected packages

npm / chai-as-byte

Package

Affected ranges

Affected versions

3.*
3.1.5
3.1.6

Database specific

indicators
{
    "package_integrity": [
        {
            "filename": "chai-as-byte-3.1.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-Ubm7Hg9m7G6G0FWA3pLEwjUKOCoIXvruCEmO/HZqbP7ft+y0n/Ihy/WJ1FOUtLc0cOA1Id2hBFXHwC80PtABDg==",
                "sha1": "afe410ec66cf5e753c85deab9414d31c3f9e9306"
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "dff0e14d24ba2039426e58e2bf1b18461403f9223381d861f7cd936e0f8dc0dea636c8",
            "path": "lib/initializeCaller.js",
            "sha256": "0a22e7a21ac873219d858746d8b32c2e4ba926f598e05fd06a617c792e440f03"
        },
        {
            "tlsh": "30017620dab88e2300ed25924c2a0643ba664c179528fd2932dba12c4fad5fb01bf21d",
            "path": "package.json",
            "sha256": "b49a51495f34bbea0e43a32fd52e668a119407d6ef5888f39bc0d0072e11f94f"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-byte/MAL-2026-10630.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]