MAL-2026-10676

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/commonjs-assert/MAL-2026-10676.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10676
Published
2026-07-15T10:42:17Z
Modified
2026-07-15T11:49:26.737424451Z
Summary
Malicious code in commonjs-assert (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b7fa2454998144bffed3fc1e2d73046b8414179b59fb99d3339f2658e00637f7)

The package name resembles Node.js's built-in assert module. On require(), index.js spawns a detached node child process against lib/chai/utils/assertion.js. That file is a single-line obfuscator.io-style bundle (rotated string array, custom-base64 decoder, hex-indexed accessors) whose runtime behavior is to require http/https, perform an HTTP GET against a URL reconstructed from the encoded string array, and pass the response body to new Function(..., body)(require) — remote content fetched at import time and executed with Node's require available. The obfuscation hides the destination URL from static inspection and shields the network-to-eval sink. Any project that requires or imports this package silently triggers arbitrary remote code execution on the installer's host.

Database specific
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-010671",
            "versions": [
                "1.0.3"
            ],
            "sha256": "b7fa2454998144bffed3fc1e2d73046b8414179b59fb99d3339f2658e00637f7",
            "source": "amazon-inspector",
            "modified_time": "2026-07-15T10:42:17Z",
            "import_time": "2026-07-15T11:33:39.884635201Z"
        }
    ]
}
References
Credits

Affected packages

npm / commonjs-assert

Package

Affected ranges

Affected versions

1.*
1.0.3

Database specific

cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "commonjs-assert-1.0.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-Vw7ZDOoyqzsft/bFOl46g24DrY5xa6ict3PLLv8J3vavETHiMdQkgoiLCGs168FtW5Y5kTF0rJnan+5xUZpecg==",
                "sha1": "c3a0c5e2a5a32a05c078f4e03dfb920f64e8a53c"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "a1dd05076258a140f526125300412b0693462f4f0adcb50d7754af5676ff85ae",
            "tlsh": "8bf05cea43822a686d30bbf8c51a982666e2d131f14180b4f9fd40d27697b824237cbc"
        },
        {
            "path": "lib/chai/utils/assertion.js",
            "tlsh": "a391755cad8021915b8f475b3a27f0c4f4096d9f7fc9148fa111bde4e989a24ead6e30",
            "sha256": "46543bececc793d6150af132e1ba48d0be2b61cc22dc2b2408a1ed3e23eeddfb"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/commonjs-assert/MAL-2026-10676.json"