-= Per source details. Do not edit below this line.=-
The package name resembles Node.js's built-in assert module. On require(), index.js spawns a detached node child process against lib/chai/utils/assertion.js. That file is a single-line obfuscator.io-style bundle (rotated string array, custom-base64 decoder, hex-indexed accessors) whose runtime behavior is to require http/https, perform an HTTP GET against a URL reconstructed from the encoded string array, and pass the response body to new Function(..., body)(require) — remote content fetched at import time and executed with Node's require available. The obfuscation hides the destination URL from static inspection and shields the network-to-eval sink. Any project that requires or imports this package silently triggers arbitrary remote code execution on the installer's host.
{
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-010671",
"versions": [
"1.0.3"
],
"sha256": "b7fa2454998144bffed3fc1e2d73046b8414179b59fb99d3339f2658e00637f7",
"source": "amazon-inspector",
"modified_time": "2026-07-15T10:42:17Z",
"import_time": "2026-07-15T11:33:39.884635201Z"
}
]
}[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
{
"package_integrity": [
{
"filename": "commonjs-assert-1.0.3.tgz",
"hashes": {
"sha512_sri": "sha512-Vw7ZDOoyqzsft/bFOl46g24DrY5xa6ict3PLLv8J3vavETHiMdQkgoiLCGs168FtW5Y5kTF0rJnan+5xUZpecg==",
"sha1": "c3a0c5e2a5a32a05c078f4e03dfb920f64e8a53c"
}
}
],
"evidence_files": [
{
"path": "index.js",
"sha256": "a1dd05076258a140f526125300412b0693462f4f0adcb50d7754af5676ff85ae",
"tlsh": "8bf05cea43822a686d30bbf8c51a982666e2d131f14180b4f9fd40d27697b824237cbc"
},
{
"path": "lib/chai/utils/assertion.js",
"tlsh": "a391755cad8021915b8f475b3a27f0c4f4096d9f7fc9148fa111bde4e989a24ead6e30",
"sha256": "46543bececc793d6150af132e1ba48d0be2b61cc22dc2b2408a1ed3e23eeddfb"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/commonjs-assert/MAL-2026-10676.json"