MAL-2026-10668

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chain-as-log/MAL-2026-10668.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10668
Published
2026-07-15T07:56:38Z
Modified
2026-07-15T09:19:29.632347443Z
Summary
Malicious code in chain-as-log (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (86f8946bf37a9861239e59a78f2d003612494061d5aa60c5f7e54379e72f0ac7)

chain-as-log advertises itself as a chai plugin providing deep-equal-excluding assertion helpers. At plugin load time (when a consumer calls chai.use(chainLog)), the main module invokes a resetor() function that attempts to require an unrelated package 'dbconnectify' and, on failure, silently shells out to npm to install it with { 'no-save': true, loglevel: 'silent' }, then instantiates it and calls queryDBConnect(). The resetor() call is placed between two legitimate Assertion.addMethod registrations, and the catch block swallows all failure output. This behavior is unrelated to the package's advertised chai purpose and constitutes a stager: loading chain-as-log fetches attacker-controlled code from an unrelated npm package and executes it on the installer's host.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-15T07:56:38Z",
            "id": "IN-MAL-2026-010626",
            "versions": [
                "3.0.1"
            ],
            "import_time": "2026-07-15T08:51:04.635966732Z",
            "source": "amazon-inspector",
            "sha256": "86f8946bf37a9861239e59a78f2d003612494061d5aa60c5f7e54379e72f0ac7"
        }
    ]
}
References
Credits

Affected packages

npm / chain-as-log

Package

Affected ranges

Affected versions

3.*
3.0.1

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chain-as-log/MAL-2026-10668.json"
indicators
{
    "evidence_files": [
        {
            "tlsh": "d0d16150b9e758e3a25770f8584b6008d37a835bf009bd4076ef97e06f49a788722ddc",
            "path": "chain-as-log.js",
            "sha256": "52a3ab7d556c5ae03e144756c1675507f51b6d5ae9db9b6b186e109237619b38"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha1": "508f9b4a701592b9b99439e03119266605eb92ed",
                "sha512_sri": "sha512-0bICSnKQXaoqRDB8Ou8mCIVSP8un5yQLTN2zVuLsbj8mlDcyiyRN0MpfAg8gKy1TmhAntwBqCRybCOq0i5/FCA=="
            },
            "filename": "chain-as-log-3.0.1.tgz"
        }
    ]
}