MAL-2026-5748

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-utils-test/MAL-2026-5748.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5748

Published

2026-06-13T20:52:08Z

Modified

2026-06-13T21:46:45.657194513Z

Summary

Malicious code in chai-utils-test (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (64edd573a9e5fdef8dcde78f5b0c9fa00521f232b886be838104741d1e0535f7)

Package name 'chai-utils-test' impersonates the popular 'chai' assertion library and ships a cloned chai source tree. The declared main (index.js) calls a top-level launcher that spawns node lib/chai/utils/assertion.js as a detached child process with stdio:'ignore' and child.unref(), so the dropper survives the parent and produces no visible output. The child uses axios to GET https://statecheck.ddns.net/api/scanner.js (a dynamic-DNS host) with a base64-encoded key=YWRtaW46c2VjcmV0MTIz query parameter (likely a server-side gate for staged payload delivery), then runs the response body via new Function('require', s)(require) — granting the attacker-served code full Node require() access. The package also pre-installs a global.atob polyfill backed by Buffer.from(x,'base64').toString('utf8') in preparation for the fetched payload. Net effect: any developer or CI job that requires/imports this package executes attacker-controlled code from a mutable remote endpoint with full Node privileges.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006383",
            "versions": [
                "4.5.3"
            ],
            "sha256": "18fced2e0d10d37dc3ca5a984ff8d36af0b1fb115b05a4a5378e2e5b42597332",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T20:52:09Z",
            "import_time": "2026-06-13T21:32:32.517448462Z"
        },
        {
            "id": "IN-MAL-2026-006389",
            "versions": [
                "4.5.0"
            ],
            "sha256": "93585e9331720cf1478c8e7b95cf9ff62f512b41d3e7d3caf323bd9e16a97aeb",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T20:52:17Z",
            "import_time": "2026-06-13T21:32:32.833626999Z"
        },
        {
            "id": "IN-MAL-2026-006393",
            "versions": [
                "4.5.4"
            ],
            "sha256": "ff4ec29ec510f5f0e3b662983bffec70d14d70c058493edfc2c7def8e0e6829a",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T20:52:21Z",
            "import_time": "2026-06-13T21:32:32.976701894Z"
        },
        {
            "id": "IN-MAL-2026-006386",
            "versions": [
                "4.5.1"
            ],
            "sha256": "2e1bdccf3a79722f18b4d6a1d48b8fc3331ebe7b4a394d3012a19d6c3455fbb8",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T20:52:15Z",
            "import_time": "2026-06-13T21:32:32.702383186Z"
        },
        {
            "id": "IN-MAL-2026-006391",
            "versions": [
                "4.5.5"
            ],
            "sha256": "64edd573a9e5fdef8dcde78f5b0c9fa00521f232b886be838104741d1e0535f7",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T20:52:18Z",
            "import_time": "2026-06-13T21:32:32.902523756Z"
        },
        {
            "id": "IN-MAL-2026-006382",
            "versions": [
                "4.5.3"
            ],
            "sha256": "c724301f7d4afa2a50e7ee6e6b500b2a7392ce13c895f03ab9206ea471636805",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T20:52:08Z",
            "import_time": "2026-06-13T21:32:32.43545565Z"
        },
        {
            "id": "IN-MAL-2026-006388",
            "versions": [
                "4.5.2"
            ],
            "sha256": "dca0b5258c13cba7ee0158286c3f7118c1b44f98657b1001878e9df190443ef7",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T20:52:16Z",
            "import_time": "2026-06-13T21:32:32.809882835Z"
        },
        {
            "id": "IN-MAL-2026-006387",
            "versions": [
                "4.5.0"
            ],
            "sha256": "fa34e73468624d4f80385acb5835a40410dde2339c1d41d6ab2ef32737aad941",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T20:52:15Z",
            "import_time": "2026-06-13T21:32:32.745940182Z"
        },
        {
            "id": "IN-MAL-2026-006385",
            "versions": [
                "4.5.4"
            ],
            "sha256": "1bb5e339775a0025b7b7a3efbadd6cdcb73c30ad3eca45d8f55fc55e533cf72a",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T20:52:14Z",
            "import_time": "2026-06-13T21:32:32.656361912Z"
        },
        {
            "id": "IN-MAL-2026-006384",
            "versions": [
                "4.5.1"
            ],
            "sha256": "4a37c97f62e1bde737d809c7727dc50bf52215caa7bb637e0d027a32fb2dbee0",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T20:52:14Z",
            "import_time": "2026-06-13T21:32:32.562658463Z"
        },
        {
            "id": "IN-MAL-2026-006390",
            "import_time": "2026-06-13T21:32:32.872404885Z",
            "sha256": "6f0b254e6f88070926286a7daf4047309991498afa8b3b9ccd820673fff67619",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T20:52:17Z",
            "versions": [
                "4.5.2"
            ]
        },
        {
            "id": "IN-MAL-2026-006392",
            "versions": [
                "4.5.5"
            ],
            "sha256": "8a46079174a90c2bb08586bcc66d2fc6f7ea6d71bb6385d1f623272b7df9fe16",
            "source": "amazon-inspector",
            "modified_time": "2026-06-13T20:52:19Z",
            "import_time": "2026-06-13T21:32:32.937329696Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / chai-utils-test

Package

Name: chai-utils-test; View open source insights on deps.dev
Purl: pkg:npm/chai-utils-test

Affected ranges

Affected versions

4.*

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

4.5.5

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "lib/chai/utils/assertion.js",
            "sha256": "f56fb93121b5e7fccd0df155347cf5b4f46e5abdcb45caf2efc79e490f575eaa",
            "tlsh": "18e0abad3066604c0d313bf8830a443dd222e035384ac2d2b90c01d3493a4096263fe8"
        },
        {
            "path": "index.js",
            "sha256": "a1dd05076258a140f526125300412b0693462f4f0adcb50d7754af5676ff85ae",
            "tlsh": "8bf05cea43822a686d30bbf8c51a982666e2d131f14180b4f9fd40d27697b824237cbc"
        }
    ],
    "package_integrity": [
        {
            "filename": "chai-utils-test-4.5.5.tgz",
            "hashes": {
                "sha512_sri": "sha512-JTFP4ytiy8rV9kwU44bPlpUApUrL9zQ2k/AospJF05KaW3ZvZWeNoTS9oc/anFTF9vkYeDFCPfRmX+a34jO3TA==",
                "sha1": "24f1e1a68608f960496b595ab7c7487d62d6b500"
            }
        }
    ],
    "ips": [
        "104.16.11.34",
        "10.1.0.2",
        "104.16.5.34"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-utils-test/MAL-2026-5748.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]