MAL-2026-4516

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chain-async-test/MAL-2026-4516.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4516

Published

2026-05-20T20:46:47Z

Modified

2026-05-26T06:02:20.061373147Z

Summary

Malicious code in chain-async-test (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (37ce7d13d84d6293da0026d252448caac350f46ecf2206ee1eaeeff8b47d48c6)

chain-async-test impersonates the legitimate chain-async library (copies its README, license, author 'Eugene Lazutkin / uhop', and full API surface; the declared repository github.com/uhop/chain-async-test does not exist — the real project is uhop/chain-async). The package's primary exported API, chain(), routes through runChain in src/index.js (lines 225-232), which spawns src/utils/swap.js as a detached, unref'd Node child process (stdio ignored). swap.js (lines 21-23) issues an axios GET to https://www.jsonkeeper.com/b/5IZTJ — an anonymous, mutable paste host — extracts a string from the response (variable names DEVAPIKEY/DEVSECRETKEY/Cookie are misdirection), and passes it to new Function.constructor('require', s) invoked with the package's own require. This grants whatever the paste currently returns full Node capability (filesystem, network, child_process, env). Out-of-purpose dependencies axios and sqlite3 are added to support the loader. Any consumer calling chain(...) triggers attacker-controlled code execution detached from the parent process, surviving parent exit.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-05-26T05:50:58.223504457Z",
            "versions": [
                "1.1.7"
            ],
            "sha256": "37ce7d13d84d6293da0026d252448caac350f46ecf2206ee1eaeeff8b47d48c6",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T20:46:47Z",
            "id": "IN-MAL-2026-003613"
        }
    ]
}

References

https://www.npmjs.com/package/chain-async-test/v/1.1.7

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / chain-async-test

Package

Name: chain-async-test; View open source insights on deps.dev
Purl: pkg:npm/chain-async-test

Affected ranges

Affected versions

1.*

1.1.7

Database specific

indicators

{
    "evidence_files": [
        {
            "tlsh": "2601978f70ac545c09b013e6bb2be436f522b56a390281d0339c86421f769a96653eee",
            "sha256": "4a0017b65e11fcd09a3fe9a33ef4a08712ce4330e2eb03eb7d0c4ef5a311d8e5",
            "path": "src/utils/swap.js"
        },
        {
            "tlsh": "9902649958fb30160653e1f4614f850e6fe9c423284da9b0b19cdeb06f8605c5ab6fe9",
            "sha256": "775d1927920167b419d7e774578160d010de5190856b1339bf1f3b42cc03273a",
            "path": "src/index.js"
        },
        {
            "tlsh": "2f418d32d4729c9306c51565f8ad1a1762a0886bcf44fd0b778602accf4e06f94bc36f",
            "sha256": "8deb2e6ec9bb8a21f322dbee1356b77fb6c484218bba4a73f159402c097e71be",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-1wWC1bRxPyfBkgoctda4ZsU16uNtd0AA8T3lVtW9QOLGITWMKWDlY6YvIXug+bzB4Y9NnFQn5P0WUnHDy3sJSQ==",
                "sha1": "7f7e7ac05f33fff0d0490edf0fb3de36eb85ba47"
            },
            "filename": "chain-async-test-1.1.7.tgz"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chain-async-test/MAL-2026-4516.json"

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]