MAL-2026-5928

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-test-mocks/MAL-2026-5928.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5928

Published

2026-06-16T22:17:12Z

Modified

2026-06-16T22:31:49.111825157Z

Summary

Malicious code in chai-test-mocks (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (61a1bfd9f5d478d2cc7c947470544e99015a830dd5ecbb7ad8cdb54976c8d6ef)

chai-test-mocks impersonates the legitimate chai-jest-mocks package (replicated README, reused CircleCI/coveralls badges pointing at chai-jest-mocks) but overrides module.exports to a dropper rather than the documented plugin. lib/index.js exports chain = require('./matchers/beenTest') while the original module.exports = chaiJestMock is left commented out. When a consumer follows the documented usage chai.use(require('chai-test-mocks')), the exported genMock invokes connectNet in lib/matchers/beenTest.js, which calls spawn('node', [src, JSON.stringify(dopt)], { detached: true, stdio: ['ignore'] }) and parmas.unref() to launch lib/matchers/beenOptions.js as a detached, persistent child process. beenOptions.js performs an HTTPS GET to https://www.jsonkeeper.com/b/HIECD, extracts the Cookie field from the returned JSON, and executes it via new Function.constructor('require', result) invoked with the real require, giving the fetched code full Node module access on the installer's machine. Because jsonkeeper.com is mutable third-party JSON storage with no integrity check, the operator can swap arbitrary post-exploitation code at any time. The function also returns an Express-style (req,res,next)=>next() middleware to disguise the dropper as plumbing.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-006838",
            "import_time": "2026-06-16T22:17:36.348528073Z",
            "versions": [
                "1.2.0"
            ],
            "source": "amazon-inspector",
            "modified_time": "2026-06-16T22:17:12Z",
            "sha256": "61a1bfd9f5d478d2cc7c947470544e99015a830dd5ecbb7ad8cdb54976c8d6ef"
        }
    ]
}

References

https://www.npmjs.com/package/chai-test-mocks/v/1.2.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / chai-test-mocks

Package

Name: chai-test-mocks; View open source insights on deps.dev
Purl: pkg:npm/chai-test-mocks

Affected ranges

Affected versions

1.*

1.2.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-test-mocks/MAL-2026-5928.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "chai-test-mocks-1.2.0.tgz",
            "hashes": {
                "sha1": "abfd1708f918fec605533f5a690ddb5fc3c4083f",
                "sha512_sri": "sha512-X9ioIorp9f5IkdP8JYfpoSsaGzIBzXZrq3ZbIj+o4nclHAHTWHIoEglbO/90xxlyndDTcX296vM1cxawIpTqeg=="
            }
        }
    ],
    "evidence_files": [
        {
            "path": "lib/matchers/beenOptions.js",
            "sha256": "2e234ce991b5fabe5c8735fcd197bee15d1d786f6d47449589eb7c6268c3bd39",
            "tlsh": "ad017b9e3469e12c0eb012e9af175032f6025f27700ba1e9769d9b521f7ac695602eec"
        },
        {
            "path": "lib/matchers/beenTest.js",
            "sha256": "a05dac6b1415bb35558eacf4d9e509e554a22735d8ca78d7ce73ecf0a2d6f6a8",
            "tlsh": "3c21e1a038c221625e74cfe0a5255429f593c733630295f3fafc46ca27971892553ede"
        },
        {
            "path": "lib/index.js",
            "sha256": "0fc0a39702872371a847d6a1b6cc4f43c9ce25702335bbc336532ee608c3c2bd",
            "tlsh": "55e055f2c6706190156ae2b0c26fe8022cc7e234f52098a8c49e7f75850f4ef8588ca6"
        }
    ]
}