MAL-2026-5906

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-plugin-kit/MAL-2026-5906.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5906

Published

2026-06-16T16:22:48Z

Modified

2026-06-16T18:16:51.417359948Z

Summary

Malicious code in chai-plugin-kit (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (26567b08d635c9b26d6befaba3dfc61a957bcf295cb321d03025b39bc54890ad)

Package republishes the chai source tree under the confusable name chai-plugin-kit. The package's main entry (index.js) spawns a detached, stdio-silenced node subprocess running lib/chai/utils/addAssertion.js on every require('chai-plugin-kit'). That file is heavily obfuscated with obfuscator.io transforms (rotated 31-entry string array _0x4a30, custom base64 decoder _0x495d, hex-named identifiers, control-flow flattening) hiding an https GET to an attacker-controlled URL whose response body is passed to new Function('require', body) and immediately invoked with the real require — granting attacker-controlled JavaScript full Node API access (filesystem, network, child_process, env). The detached + unref + stdio:'ignore' pattern is deliberate evasion to hide the child process from the consuming developer. A legitimate chai plugin has no reason to fetch and eval remote code.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "26567b08d635c9b26d6befaba3dfc61a957bcf295cb321d03025b39bc54890ad",
            "id": "IN-MAL-2026-006790",
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T16:22:48Z",
            "versions": [
                "5.8.1"
            ],
            "import_time": "2026-06-16T18:10:20.51964844Z"
        }
    ]
}

References

https://www.npmjs.com/package/chai-plugin-kit/v/5.8.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / chai-plugin-kit

Package

Name: chai-plugin-kit; View open source insights on deps.dev
Purl: pkg:npm/chai-plugin-kit

Affected ranges

Affected versions

5.*

5.8.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-plugin-kit/MAL-2026-5906.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "sha256": "e045f0b4ff409bcc00b1c2e74f687501740197295b26b41587f94c7d2f39c3d3",
            "tlsh": "19f0dcfa02c1aa286d31bbf18007442623e3c172f24040a8fafd90d26657b835233cbd",
            "path": "index.js"
        },
        {
            "sha256": "961b2fbc992308f4161585b983b21aad70e6e352f089b22cf1534add58e73f53",
            "tlsh": "5181fd9552842ac0a69feeff3b0370e4d06659567e8605eab800bd64fdc2728d7c6b70",
            "path": "lib/chai/utils/addAssertion.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "chai-plugin-kit-5.8.1.tgz",
            "hashes": {
                "sha1": "4b1dbd25581c5c15bbfd7c7f41706c47aefbedaf",
                "sha512_sri": "sha512-wYUFBdc4wZxvHBbB8rxrdQz3NC/h1Ol2S1SaZ/BYyvPrJR9EbRqXQWCIfL5jeKKH/yOLH54KN0umfOXPfqsbGw=="
            }
        }
    ]
}