MAL-2026-3753

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-regulated/MAL-2026-3753.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3753

Published

2026-05-14T19:25:28Z

Modified

2026-05-15T07:52:29.886420Z

Summary

Malicious code in chai-as-regulated (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (67f7f8d21f5d33db136b1e10fc7fbb6d2a1540240911b0630e7fc9f8724c7b26)

Package is published as chai-as-regulated, a name mimicking the widely-used chai-as-promised Chai plugin, and the README instructs users to register it via chai.use(chaiAsRegulated). The shipped code, however, does not implement a Chai plugin: the tarball contains Pino logger source files (lib/levels.js, lib/proto.js, lib/tools.js, lib/transport.js, docs referencing pinojs/pino), and the package.json description is unrelated boilerplate ("This document describes the management of vulnerabilities for the project and all modules within the organization."). The exported middleware in index.js (lines 32-50) calls runBackgroundTask, which uses child_process.spawn('node', [scriptPath, JSON.stringify(args)], { detached: true, stdio: 'ignore' }) followed by child.unref() to silently launch ./lib/initializeCaller.js as a detached background process passing caller-supplied arguments. The referenced initializeCaller.js is absent from this tarball, so no payload executes today, but the loader shape (typosquat name + identity lie + detached orphan-process spawner pointing at a sibling file) is structured for a future-version payload swap. The combination of name confusion against a popular target, copied unrelated source used as cover, and a silent background-launcher wired into the advertised API exceeds the bar for typosquat-with-payload-shape.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-15T07:37:18.308336923Z",
            "versions": [
                "2.0.12"
            ],
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-002726",
            "modified_time": "2026-05-14T19:25:28Z",
            "sha256": "67f7f8d21f5d33db136b1e10fc7fbb6d2a1540240911b0630e7fc9f8724c7b26"
        }
    ]
}

References

https://www.npmjs.com/package/chai-as-regulated/v/2.0.12

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / chai-as-regulated

Package

Name: chai-as-regulated; View open source insights on deps.dev
Purl: pkg:npm/chai-as-regulated

Affected ranges

Affected versions

2.*

2.0.12

Database specific

indicators

{
    "evidence_files": [
        {
            "tlsh": "0f318545b5f21259126d98c4f6b4a5263cdf9437331b76b1cded93952bce2080032bc7",
            "sha256": "1f51184c197102444a2c8a23e4a8e54a6479750420512922fcb5d5f795c33911",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-XtlPU4glHYsY79mwjQy898way9wkx1Zt3xOKXsW6Rh0NO4rYV8u9crW897hHllctZlNAmEmTUlHog4TD1Uk1BA==",
                "sha1": "828865b3b3ba7bc5a1e027cc48fdae254b1b1521"
            },
            "filename": "chai-as-regulated-2.0.12.tgz"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-regulated/MAL-2026-3753.json"

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]