MAL-2026-4515

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-val/MAL-2026-4515.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4515

Published

2026-05-21T12:36:47Z

Modified

2026-05-26T06:02:19.583604297Z

Summary

Malicious code in chai-val (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (515e313c5420dfe9edcb88d61079fa80dbf3539da465572fde5ece42ba6ed748)

The package masquerades as a pino-logger helper (file structure, exports, and keywords are copied from pino) but its main entry exports a middleware that spawns node lib/caller.js as a detached child process. caller.js performs an HTTP GET to https://jsonkeeper.com/b/XRGF3 and passes the response's .cookie field directly into new Function.constructor('require', s), invoking it with the host's require — granting the fetched script full Node.js capabilities (filesystem, network, child_process, env). The destination URL is additionally stored base64-encoded as DEV_API_KEY: "aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1hSR0Yz", an obfuscation of the same C2 endpoint. jsonkeeper.com is an anonymous, mutable paste host: today's content can be replaced by the operator at any moment without republishing the npm package. Any developer who installs chai-val and invokes the advertised middleware export triggers arbitrary remote code execution under their Node process.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "515e313c5420dfe9edcb88d61079fa80dbf3539da465572fde5ece42ba6ed748",
            "id": "IN-MAL-2026-003806",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T12:36:47Z",
            "versions": [
                "1.1.9"
            ],
            "import_time": "2026-05-26T05:51:21.246948501Z"
        }
    ]
}

References

https://www.npmjs.com/package/chai-val/v/1.1.9

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / chai-val

Package

Name: chai-val; View open source insights on deps.dev
Purl: pkg:npm/chai-val

Affected ranges

Affected versions

1.*

1.1.9

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-val/MAL-2026-4515.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "tlsh": "f8017b8a30fa605c015510f64b1fa4327011e4273c49e5c5378c87524fea9ae6963aed",
            "sha256": "d81e48769a830cd3384a4b8977ade12e5ab7583eb7cca84e7ab966d15871bd71",
            "path": "lib/caller.js"
        },
        {
            "sha256": "2956b023858d706a5e241cd28b845088e5f414c5f70bd5d8cb73cb427d081065",
            "tlsh": "5d213c81b9f11188065cd9c8b569e53a38e3c4377207b9b0e9ec87862bcf2080272ad7",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "chai-val-1.1.9.tgz",
            "hashes": {
                "sha1": "7ea13a8f58ae077a9cfe93e18ba1f8d1724f06c4",
                "sha512_sri": "sha512-c/hIx+j3aSjrtdVF9zmb0IIzjrj8SX8uaXF37bobU8zI63RTRp4WIN6JYQShILIh8U6Hpzl3z78fC6hW9Flplg=="
            }
        }
    ]
}