MAL-2026-5904

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-plugin/MAL-2026-5904.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5904

Published

2026-06-16T16:22:46Z

Modified

2026-06-16T18:16:51.540720152Z

Summary

Malicious code in chai-plugin (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (67e08b149ec19ba5622783cfdf864741264b5f6cbe5f56a15c8553c6f1ab5106)

Package name chai-plugin impersonates the popular chai assertion library — README and copyright headers reference chaijs.com / chaijs/chai, but the homepage is the lookalike chaiplugin.com and the author is unrelated to chai's real maintainer. Two obfuscator.io payloads (hex-named identifiers, rotated string array with a base64+URI custom decoder, control-flow obfuscation, arithmetic self-check) are glued onto otherwise-legitimate chai source. (1) lib/chai/utils/assertion.js builds a URL with a query parameter, calls require('http'|'https').get(url,...), accumulates the response body, then executes the bytes via new Function('require', body)(require) — an import-time dropper that runs whatever JS the remote server currently serves, with full Node require capability. (2) lib/chai.js destructures spawn from child_process and unconditionally invokes a top-level function that runs spawn(<cmd>, [path.join(__dirname, <sibling>), JSON.stringify(opts)], {detached: true, stdio:...}).unref(), backgrounding a malicious worker that survives the parent process. Both fire at module load via index.js -> require('./lib/chai'). The combination of typosquat name, obfuscation smuggled onto legitimate source, network-fetch-and-eval, and detached subprocess launch is a malicious supply-chain dropper.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "67e08b149ec19ba5622783cfdf864741264b5f6cbe5f56a15c8553c6f1ab5106",
            "id": "IN-MAL-2026-006789",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T16:22:47Z",
            "versions": [
                "4.5.3"
            ],
            "import_time": "2026-06-16T18:10:20.479391284Z"
        },
        {
            "sha256": "d8288900390b603834b85d1945f829d1c5386bd7cbca56ded07b27557ddb4d0f",
            "import_time": "2026-06-16T18:10:20.819692603Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T16:22:54Z",
            "versions": [
                "4.5.5"
            ],
            "id": "IN-MAL-2026-006796"
        },
        {
            "sha256": "955522a906103bb6eae62759721a35b120cdaffd1d2747a2f1b73b37c6d2d1db",
            "id": "IN-MAL-2026-006792",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T16:22:50Z",
            "versions": [
                "4.5.2"
            ],
            "import_time": "2026-06-16T18:10:20.588614063Z"
        },
        {
            "sha256": "9bbe8cb82be82f91cf6332988d29fcdd4e7574f766af4d524ce5c08edc9f94f6",
            "id": "IN-MAL-2026-006788",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T16:22:46Z",
            "versions": [
                "4.5.4"
            ],
            "import_time": "2026-06-16T18:10:20.412411486Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / chai-plugin

Package

Name: chai-plugin; View open source insights on deps.dev
Purl: pkg:npm/chai-plugin

Affected ranges

Affected versions

4.*

4.5.2

4.5.3

4.5.4

4.5.5

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-plugin/MAL-2026-5904.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "03c3bd14626efeb31b5a90d20a3115c8bcad2d98c1d2eb638d47c70044fe91a3",
            "tlsh": "8f214760cd689eb30ada12d4342e001371318e434e54fc0d37aa274d0f9e46f357da5d",
            "path": "package.json"
        },
        {
            "sha256": "f8cba23b01fb2fd480d15013c87ec8059bb5ff105741bb40e2af046b1e4a0572",
            "tlsh": "cb81105193842ac4a69faeff370370f4e06558523e8605eab800bd68fec2728d7c5770",
            "path": "lib/chai/utils/assertion.js"
        },
        {
            "sha256": "ba7ecd720b416756efb4f433f96bded0b8472bdbce535ebc129e39e5c6ac90c3",
            "tlsh": "72a165953ac06da153079efb773ba5d4e405cecf7289449d8120b590aee192ecd92f32",
            "path": "lib/chai.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "chai-plugin-4.5.3.tgz",
            "hashes": {
                "sha1": "8b522378612e9a54014d0653ba22e739172f3387",
                "sha512_sri": "sha512-S6z2OB197s00jsek6ikpXeEmdFBbgCTaQuZhiOaCxJk/p8XzfY1bHDgl/N3z98pFuqieglEBedoY+hlwau90Ig=="
            }
        }
    ]
}