MAL-2026-5905

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-plugin-helper/MAL-2026-5905.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5905

Published

2026-06-16T16:32:26Z

Modified

2026-06-16T18:16:51.322483728Z

Summary

Malicious code in chai-plugin-helper (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ddf8b1cc2e3c780dc0ac44e7691f14f2031f0aca1e1c207f1c15c0815471358b)

chai-plugin-helper poses as a chai plugin and ships a verbatim copy of chai's public API (index.js, lib/chai.js, expect/should/assert exports, version string '4.3.8', description copied from chai) so it functions as a drop-in replacement. On require('chai-plugin-helper'), index.js line 8 spawns a detached background node process that runs lib/chai/utils/assertion.js: const child = spawn("node", [assertion, JSON.stringify(args)], { detached: true, stdio: "ignore" }). assertion.js is obfuscator.io-encoded with a rotated 31-entry string array decoded via a base64+URI-decode chain and hex-named identifiers (_0x479d3b, _0x4a30, etc.). After deobfuscation, the file performs an HTTP(S) GET to a URL built from the encoded constants and passes the response body into new Function(_0x154837[...],_0x375b9e) invoked with the installer's require — executing attacker-controlled remote code with full Node privileges. The copyright header has been altered to 'Anton Lane' while the rest of chai's source is copied verbatim, so installers see a working assertion library and do not notice the dropper running in the background. Combination of namespace impersonation, drop-in API, obfuscation specifically wrapping the fetch+exec path, and remote-code execution at require-time is unambiguous supply-chain attack.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "1fa6d8a2f11a6c11671dc44321aa39d39c989ff466f328a5b04039ad5f1d5bbd",
            "import_time": "2026-06-16T18:10:20.956906003Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T16:32:27Z",
            "versions": [
                "1.7.5"
            ],
            "id": "IN-MAL-2026-006798"
        },
        {
            "sha256": "3d742faa5ee42e676405c26b997801e84fd9b113d1f6c63d66848460eec6f1f0",
            "id": "IN-MAL-2026-006800",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T16:32:31Z",
            "versions": [
                "1.7.3"
            ],
            "import_time": "2026-06-16T18:10:21.035986231Z"
        },
        {
            "sha256": "d0f3dcd179bd9b9cde43861ed9227050facb703cd3205b0aef4673f3c2db6abb",
            "id": "IN-MAL-2026-006797",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T16:32:26Z",
            "versions": [
                "1.7.6"
            ],
            "import_time": "2026-06-16T18:10:20.877917514Z"
        },
        {
            "sha256": "ddf8b1cc2e3c780dc0ac44e7691f14f2031f0aca1e1c207f1c15c0815471358b",
            "import_time": "2026-06-16T18:10:20.996135869Z",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T16:32:27Z",
            "versions": [
                "1.7.4"
            ],
            "id": "IN-MAL-2026-006799"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / chai-plugin-helper

Package

Name: chai-plugin-helper; View open source insights on deps.dev
Purl: pkg:npm/chai-plugin-helper

Affected ranges

Affected versions

1.*

1.7.3

1.7.4

1.7.5

1.7.6

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-plugin-helper/MAL-2026-5905.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "f8cba23b01fb2fd480d15013c87ec8059bb5ff105741bb40e2af046b1e4a0572",
            "tlsh": "cb81105193842ac4a69faeff370370f4e06558523e8605eab800bd68fec2728d7c5770",
            "path": "lib/chai/utils/addAssertion.js"
        },
        {
            "sha256": "636beba9ab6fda122746cf069c0a90e73953c94c883f46c49b35f99123ade1ac",
            "tlsh": "4ef0dcfa02c1aa286d31bbf18007442623e3c172f24040a8fafd90d26657b835233cbd",
            "path": "index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "chai-plugin-helper-1.7.5.tgz",
            "hashes": {
                "sha1": "6c40c7cbbec17cf15a05a4c6d4a87a54b1b037ff",
                "sha512_sri": "sha512-1hORJEsAq+/uJNelWGivmO3NoXiqF3FbvLwcJAdVkOzKv22uXjdA/N2QyCm0Y3kzN2lwg5rNFR9nnw1pMhmYGQ=="
            }
        }
    ]
}