-= Per source details. Do not edit below this line.=-
Package assertcore impersonates the popular chai assertion library (ships a copy of chai source as cover; author and homepage differ from the genuine project). On require('assertcore') / import 'assertcore', index.js spawns a detached node subprocess running lib/chai/utils/addAssertion.js with stdio set to ignore: const chaiBinding = spawn("node", [addAssertion, JSON.stringify(args)], {detached: true, stdio: "ignore"}). The spawned script is heavily obfuscated using obfuscator.io string-array rotation, a base64-with-substitution decoder, and hex-arithmetic indexing to hide that it requires http(s), performs a GET to a URL assembled from obfuscated literals, and passes the response body into new Function('require', body)(require) — executing attacker-supplied JavaScript with full Node privileges on every install or require. The combination of name impersonation, chai-source cover, detached/silenced subprocess, obfuscated network destination, and import-time fetch-and-eval is an unambiguous supply-chain attack on installers.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"id": "IN-MAL-2026-007415",
"import_time": "2026-06-24T04:54:33.779968737Z",
"sha256": "4bd2844909a6dd6db77af2d47b2d9a16ff126d892998282f4df4c7ed1f61a4af",
"versions": [
"3.1.7"
],
"modified_time": "2026-06-24T03:50:42Z"
},
{
"id": "GHSA-8f9p-rcjg-hhx4",
"source": "ghsa-malware",
"import_time": "2026-07-15T05:00:56.79332848Z",
"sha256": "4b9c1b24c21140b120efceeccb9ced05c56a580dca792d07c43cffa1e24d7ca8",
"modified_time": "2026-07-14T23:14:24Z",
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
]
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/assertcore/MAL-2026-6365.json"
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "assertcore-3.1.7.tgz",
"hashes": {
"sha512_sri": "sha512-1ya3GEfSwXyQJgbCypvYYvetxqYY3Vk0f0qWOCZngjWhxxqqsMuCje57bAsYv5XwqkzqG93zuwYvUnUpQtyDJQ==",
"sha1": "cb306d3c18ee2b391234f721c01d936f6f2ab4fd"
}
}
],
"evidence_files": [
{
"path": "index.js",
"sha256": "e045f0b4ff409bcc00b1c2e74f687501740197295b26b41587f94c7d2f39c3d3",
"tlsh": "19f0dcfa02c1aa286d31bbf18007442623e3c172f24040a8fafd90d26657b835233cbd"
},
{
"path": "lib/chai/utils/addAssertion.js",
"sha256": "2eb589375bedac37eca772ed22457616cda763b7c0b2fff5f8b9ea7135598e3b",
"tlsh": "2c81002522c01541275bcbfb2e27f1d6d4269c4a7e9c445bea0dbcd8ed65616cbc2b30"
}
]
}