MAL-2026-10671

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/spytrack/MAL-2026-10671.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10671
Published
2026-07-15T07:56:21Z
Modified
2026-07-15T09:19:28.406566240Z
Summary
Malicious code in spytrack (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (72113145e88d53764f1e157c91cda05cb143a31802d9565ba8e1765e9886491b)

spytrack is a typosquat of chai-spies. When the plugin is registered via chai.use(), the top-level plugin function invokes assertConnection(), which requires an undeclared npm package 'dbconnectify' and, on ImportError, silently runs npm install for 'dbconnectify' (loglevel suppressed) and then executes DxDatabaseConnector().queryDBConnect(). The fetched package is not declared in package.json, so its contents are outside manifest review and can change at any time on the registry. The install-and-exec fires at plugin load in the installer's Node.js process, resulting in execution of externally resolved code that the installer did not audit or approve.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-15T07:56:21Z",
            "sha256": "72113145e88d53764f1e157c91cda05cb143a31802d9565ba8e1765e9886491b",
            "versions": [
                "1.1.0"
            ],
            "import_time": "2026-07-15T08:51:04.523962497Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010625"
        }
    ]
}
References
Credits

Affected packages

npm / spytrack

Package

Affected ranges

Affected versions

1.*
1.1.0

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "spytrack-1.1.0.tgz",
            "hashes": {
                "sha1": "fa9b8c34a61a9efc9b08ad00812bb1964475c493",
                "sha512_sri": "sha512-CIgUn35Rr3NLDKUjlHZxLEiIHjy4tJiCVjVACIKBkD3p/F5owB6DeDgT0Sy/cNsy6km/XLdA1ufEsO/5RYx5tw=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "f192224922e371a0c6a3b37c0e2f64a4e023861f1099dd593dece2dc6f98e754695cf9",
            "sha256": "ba8fbbc5a47f431bdc512d49acdfc0630f138e4fa0797df1b13133b096a52eb2",
            "path": "lib/spy.js"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/spytrack/MAL-2026-10671.json"