MAL-2026-6219

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-forgeted/MAL-2026-6219.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6219

Published

2026-06-19T14:10:27Z

Modified

2026-06-19T15:47:26.742009452Z

Summary

Malicious code in chai-as-forgeted (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b6b32b714919c755532ed3d2695d1966568c24878e9721a5d756896d81881020)

Package name impersonates the popular chai-as-promised assertion library, but its package.json description and keywords are copied from pino and the code is unrelated to chai. The package's main entry exports a middleware factory that spawns lib/caller.js as a detached node child process. lib/caller.js base64-decodes a hardcoded URL pointing at api.jsonstorage.net (a mutable third-party JSON storage service), GETs the JSON document, extracts the cookie field, and executes its contents via new Function.constructor('require', s)(require) with full access to require. The C2 URL and request headers are stored as base64 strings inside a locally redefined process object that shadows the real process global, then decoded with atob at runtime. Any consumer who installs and invokes the exported middleware triggers arbitrary attacker-controlled code execution; the attacker can rotate the payload served by the JSON storage endpoint at will.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "b6b32b714919c755532ed3d2695d1966568c24878e9721a5d756896d81881020",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T14:10:27Z",
            "versions": [
                "9.24.6"
            ],
            "id": "IN-MAL-2026-007065",
            "import_time": "2026-06-19T15:41:54.804687325Z"
        }
    ]
}

References

https://www.npmjs.com/package/chai-as-forgeted/v/9.24.6

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / chai-as-forgeted

Package

Name: chai-as-forgeted; View open source insights on deps.dev
Purl: pkg:npm/chai-as-forgeted

Affected ranges

Affected versions

9.*

9.24.6

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-forgeted/MAL-2026-6219.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "37e9dde0f35864e2ea8dcd4c8b5324ef50e3798195d04c30ba6938352af702db",
            "tlsh": "1b01af9934fe541c015112e9171fa1326050e4673d86e6c83b4c87129fa667e6e93adf",
            "path": "lib/caller.js"
        },
        {
            "sha256": "842a296220c20e1ad41ccff4bbaf394d574704b14b6731989b1d7f0708840a1c",
            "tlsh": "7e019c60ce788e2304ed25824c2e0643b6659c139928fc1932d7512c0f9d9bf15bf25d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-QD0MAM/tH4wen/cwZEPYwtuG2KMatHpoZwHNJKyirzP0wew4gkGDs6lMUF7n7cuzTSd+Cr5R5GrV7iiveIxzFQ==",
                "sha1": "8dcc2abb4ef93b067275f49f1789d685ec1d6975"
            },
            "filename": "chai-as-forgeted-9.24.6.tgz"
        }
    ]
}