MAL-2026-6221

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-assert-kit/MAL-2026-6221.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6221

Published

2026-06-19T15:00:48Z

Modified

2026-06-19T15:47:26.813257209Z

Summary

Malicious code in chai-assert-kit (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fb347379535c0ea9895e1dc8dd2f20b1fd092b8e62b433bfbd49b2ac1bff2f72)

Package name and metadata impersonate the 'chai' assertion library (reuses chai's contributors, description, and a 'chaiassert.com' homepage), but the package contains no assertion logic. On require()/import, index.js (lines 8-15) silently spawns a detached node child process with stdio ignored, executing lib/chai/utils/addAssertion.js. That file is a heavily obfuscated obfuscator.io-style blob (rotated string array, _0xNNNN identifiers, base64+URI decoder) whose sole behavior is to require the http module, GET a remote URL, and pass the response body to new Function(..., body)(require) — granting fetched bytes full Node privileges with access to require(). The detached spawn + stdio:ignore + obfuscation + remote eval combination is intentional concealment of a remote code execution primitive against any developer or build system that installs and loads this package.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "fb347379535c0ea9895e1dc8dd2f20b1fd092b8e62b433bfbd49b2ac1bff2f72",
            "source": "amazon-inspector",
            "modified_time": "2026-06-19T15:00:48Z",
            "versions": [
                "3.8.1"
            ],
            "id": "IN-MAL-2026-007073",
            "import_time": "2026-06-19T15:41:55.343493912Z"
        }
    ]
}

References

https://www.npmjs.com/package/chai-assert-kit/v/3.8.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / chai-assert-kit

Package

Name: chai-assert-kit; View open source insights on deps.dev
Purl: pkg:npm/chai-assert-kit

Affected ranges

Affected versions

3.*

3.8.1

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-assert-kit/MAL-2026-6221.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "e045f0b4ff409bcc00b1c2e74f687501740197295b26b41587f94c7d2f39c3d3",
            "tlsh": "19f0dcfa02c1aa286d31bbf18007442623e3c172f24040a8fafd90d26657b835233cbd",
            "path": "index.js"
        },
        {
            "sha256": "3b357f9fe65878e583defafa3797dd69bc859c744705bc303c91c1c2e39d1033",
            "tlsh": "2791fe8626c1798172479faf3a3a54d5d8598e82ffc404a3f61ab898fce4624d4c1bb4",
            "path": "lib/chai/utils/addAssertion.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-9cgSBjOPx039fxUHAqIPLDtFsHYGnxHN3PjEddXrLLlCyHR+bZU2YY8+eoSXHOJN5rUBsT8BjJkY+6GNpYhcMA==",
                "sha1": "e56a9ead91d74c552dbf16dd790deb46280789e4"
            },
            "filename": "chai-assert-kit-3.8.1.tgz"
        }
    ]
}