MAL-2026-5605

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-victimed/MAL-2026-5605.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5605

Published

2026-06-11T07:19:25Z

Modified

2026-06-11T08:01:31.079849114Z

Summary

Malicious code in chai-as-victimed (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4b60cf728d4e2f5932f37d3e420649f6facc08959a8380a4724ec9e885b88754)

Package name impersonates chai-as-promised but ships a remote-code dropper. lib/caller.js base64-decodes a hardcoded URL pointing to https://api.jsonstorage.net/v1/json/2ef8c758-a96f-459e-b036-b3b90379a165/a179ea35-b962-4722-b3f1-e28316d1a44a (an attacker-controlled mutable JSON store), issues a GET with a custom x-secret-key: _ header, takes the response's .cookie field, and executes it via new Function.constructor('require', s)(require) — granting the fetched code full Node privileges and require access. The URL, header name, and header value are stored base64-encoded under fake keys (DEV_API_KEY, DEV_SECRET_KEY, DEV_SECRET_VALUE) on a shadow process.env object to evade string scans. index.js spawns node lib/caller.js detached from the package's default export, so any consumer that loads and invokes the advertised middleware triggers arbitrary remote code execution on the installer's machine, retried up to 5 times. The README/keywords cosplay a logger (pino) while the package name targets users looking for chai-as-promised — neither matches the actual behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005695",
            "versions": [
                "6.1.21"
            ],
            "sha256": "4b60cf728d4e2f5932f37d3e420649f6facc08959a8380a4724ec9e885b88754",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T07:19:25Z",
            "import_time": "2026-06-11T07:49:41.999061828Z"
        }
    ]
}

References

https://www.npmjs.com/package/chai-as-victimed/v/6.1.21

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / chai-as-victimed

Package

Name: chai-as-victimed; View open source insights on deps.dev
Purl: pkg:npm/chai-as-victimed

Affected ranges

Affected versions

6.*

6.1.21

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "lib/caller.js",
            "sha256": "37e9dde0f35864e2ea8dcd4c8b5324ef50e3798195d04c30ba6938352af702db",
            "tlsh": "1b01af9934fe541c015112e9171fa1326050e4673d86e6c83b4c87129fa667e6e93adf"
        },
        {
            "path": "package.json",
            "sha256": "56986b66c617944853d28f650033ee0779fbbd803cec62ca7af8d5606f5fb3c0",
            "tlsh": "7a019c20ce789e2304ed25824c2a064376658c139928fc2932db512c0f9d5bf01bf21d"
        }
    ],
    "package_integrity": [
        {
            "filename": "chai-as-victimed-6.1.21.tgz",
            "hashes": {
                "sha512_sri": "sha512-EmZKweFg1/xMTnaSYZEGHwH+dYqN9+m5yvQ3in/Fr1VcMg4z6yIFnEfuGneP7fcqJu4U4uZJJBXvkt+v6CMwng==",
                "sha1": "6b3122bf905e704e09b579db6b577d13bbe1b516"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-victimed/MAL-2026-5605.json"