MAL-2026-5907

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-solidity-testkit/MAL-2026-5907.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5907
Published
2026-06-16T16:22:45Z
Modified
2026-06-16T18:16:51.699200664Z
Summary
Malicious code in chai-solidity-testkit (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7f6482febfb9b57ff5c59a2170dab31ec0dd814ccc21b6996dbb9e7a0c9e575c)

The package masquerades as a Web3/Solidity testing toolkit but its shipped source is an unrelated stream-pipeline library plus a hidden payload runner. The default export chaiPlugin (src/index.js) calls runChain, which spawns node src/utils/swap.js as a detached, unref'd child process. swap.js issues an HTTPS GET to https://jsonkeeper.com/b/CS0FU, takes the response's data.config string, and executes it via new Function.constructor('require', s) invoked with the real require — granting the remote operator full Node.js capabilities (filesystem, network, child_process, env) on the installer's machine. The remote endpoint is author-mutable (a public paste host), so the executed code can change at any time without a package update. The detach+unref pattern lets the payload outlive the calling process. The package name and description impersonate the chai/solidity testing namespace, and the only reason axios is declared as a dependency is to drive the remote fetch in swap.js.

Database specific
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006787",
            "sha256": "7f6482febfb9b57ff5c59a2170dab31ec0dd814ccc21b6996dbb9e7a0c9e575c",
            "import_time": "2026-06-16T18:10:20.360613832Z",
            "modified_time": "2026-06-16T16:22:46Z",
            "source": "amazon-inspector",
            "versions": [
                "1.6.1"
            ]
        },
        {
            "modified_time": "2026-06-16T16:22:45Z",
            "sha256": "e4b95b625d981714721f5d2d3ad2896a01f678f085167245a452e68c16bb5fcf",
            "versions": [
                "1.6.4"
            ],
            "import_time": "2026-06-16T18:10:20.311036159Z",
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-006786"
        }
    ]
}
References
Credits

Affected packages

npm / chai-solidity-testkit

Package

Name
chai-solidity-testkit
View open source insights on deps.dev
Purl
pkg:npm/chai-solidity-testkit

Affected ranges

Affected versions

1.*
1.6.1
1.6.4

Database specific

cwes
[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "chai-solidity-testkit-1.6.1.tgz",
            "hashes": {
                "sha1": "33a98f84a4e528cd94842a4e62ef381fda5b8ab5",
                "sha512_sri": "sha512-8f5NN9zZEzyoOM47F7FPiDQ9cS6pK3rUWE6PWanfyRacoms1SNu+PXT+Qa6f+YnlQ32Anziuk08rtZkue0dpZw=="
            }
        }
    ],
    "evidence_files": [
        {
            "tlsh": "1501978f60ac645c097017e2bb1ba032f922a4aa390281d5339c86421f769ad6603ede",
            "sha256": "6faa9466a2b4213b6a754e212214c5cfb4c771d02fa287c9bfe04ee95c265a3c",
            "path": "src/utils/swap.js"
        },
        {
            "tlsh": "6502648958fb30160653e1f4614f850e6feac423284da9b0b19cdeb06f8615c5ab6fe9",
            "sha256": "7f6c9484a7c09bd6589cdb9d0578fe996dd9840820e98da55129a9315d8610f9",
            "path": "src/index.js"
        },
        {
            "tlsh": "2241bb32d4769ca302c91525a9ad1a17a2a084afdf44fc0a7783029dcf8d46f84bd36f",
            "sha256": "0951b388276e96d3a2e6a8839d4122bc5182ae61200df038ec0553a41a815992",
            "path": "package.json"
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-solidity-testkit/MAL-2026-5907.json"