MAL-2026-4512

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-repaired/MAL-2026-4512.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4512

Aliases

GHSA-fpr5-4jhx-2qw9

Published

2026-05-22T23:58:28Z

Modified

2026-05-27T09:46:51.590574679Z

Summary

Malicious code in chai-as-repaired (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (949b90bd3c157955d029f9ea08bc32aea893e452c4ded78df98b80c1b831be76)

Package name 'chai-as-repaired' is a 1-edit typosquat of the popular 'chai-as-promised' chai plugin (>1M weekly downloads). The published code is unrelated to the advertised purpose: it ships pino-logger-derived source with mismatched metadata (description='vulnerability management', keywords=['logger','stream']). The exported middleware factory in index.js invokes runJobA, which at lines 32-39 calls spawn('node', [script, JSON.stringify(args)], { detached: true, stdio: 'ignore' }) followed by child.unref() — a detached, output-suppressed child process designed to outlive the parent on every consumer invocation. The spawned script ./lib/caller.js is absent from this version, so the spawn fails silently in 5.32.9, but the loader scaffold is in place. Separately, lib/const.js declares DEV_API_KEY whose value base64-decodes to https://api.jsonstorage.net/v1/json/2ef8c758-a96f-459e-b036-b3b90379a165/a179ea35-b962-4722-b3f1-e28316d1a44a — an anonymous public JSON-store endpoint commonly abused as mutable C2, deliberately named to look like a credential rather than a URL. The combination of typosquat name + purpose/metadata mismatch + detached-child stager + hidden base64-encoded anonymous-JSON-store endpoint is a coherent attack scaffold awaiting the missing payload file.

Source: ghsa-malware (6200ca18f04d2ebd704bc9ed0c91ec7e338ca315a3b42d71158a66bafdea7ba2)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-004274",
            "versions": [
                "5.32.9"
            ],
            "sha256": "949b90bd3c157955d029f9ea08bc32aea893e452c4ded78df98b80c1b831be76",
            "source": "amazon-inspector",
            "modified_time": "2026-05-22T23:58:28Z",
            "import_time": "2026-05-26T05:52:16.997722093Z"
        },
        {
            "id": "IN-MAL-2026-004796",
            "import_time": "2026-05-26T05:53:17.819239513Z",
            "sha256": "c58af77607d3c50236fe8a0177a4c41c0b82699c3c550fc24eb4d7678e7cf1f6",
            "source": "amazon-inspector",
            "modified_time": "2026-05-25T23:17:04Z",
            "versions": [
                "5.32.10"
            ]
        },
        {
            "id": "GHSA-fpr5-4jhx-2qw9",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2026-05-27T09:27:52.187696002Z",
            "sha256": "6200ca18f04d2ebd704bc9ed0c91ec7e338ca315a3b42d71158a66bafdea7ba2",
            "source": "ghsa-malware",
            "modified_time": "2026-05-27T08:53:18Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / chai-as-repaired

Package

Name: chai-as-repaired; View open source insights on deps.dev
Purl: pkg:npm/chai-as-repaired

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.32.9

5.32.10

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "2956b023858d706a5e241cd28b845088e5f414c5f70bd5d8cb73cb427d081065",
            "tlsh": "5d213c81b9f11188065cd9c8b569e53a38e3c4377207b9b0e9ec87862bcf2080272ad7"
        },
        {
            "path": "lib/const.js",
            "sha256": "a025a28f111db50770d91c8174b0b6803fb62539305856a05cc14ede212510b2",
            "tlsh": "20d0c7e228baa61e05240222060db200f1d0c16f18c227893aea0d05c92256d2982eab"
        }
    ],
    "package_integrity": [
        {
            "filename": "chai-as-repaired-5.32.9.tgz",
            "hashes": {
                "sha512_sri": "sha512-T+9JUZPG5RjntEeTJeYIToiSUY0vLRIzHb2VzKje+woBXIxwSdfO34oAIYNSRqHSLmHuVVlrFtc1BTyBmrdaMQ==",
                "sha1": "e48f375ae7673ca5dc38e5e2792b1947e7d5f1a9"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-repaired/MAL-2026-4512.json"