MAL-2026-6465

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-built/MAL-2026-6465.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6465

Published

2026-06-25T17:13:38Z

Modified

2026-06-25T17:31:24.244392812Z

Summary

Malicious code in chai-as-built (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (469c5ebe97d1e69d080295000d723febbb06050f65aed9a0f44a76fd707c0b1e)

chai-as-built masquerades as the pino logger (package.json keywords 'fast','logger','stream','json'; file layout lib/proto.js, lib/redaction.js, lib/transport.js, lib/multistream.js, lib/levels.js; export module.exports.pino = middleware) while its name shadows the popular chai-as-promised. When a consumer imports the package and invokes the exported middleware, index.js spawns a detached node child process running lib/initializeCaller.js. That script base64-decodes a hardcoded URL (https://amethyst-lorrin-26.tiiny.site/index.json) hidden inside a fake process.env shadow object, GETs the JSON with a custom header, and passes the response's cookie field to new Function.constructor('require', response), then invokes the resulting function with require — executing arbitrary attacker-supplied JavaScript with full Node privileges. The fetch is retried up to 5 times against a mutable anonymous tiiny.site host with no integrity check. The combination of typosquat/impersonation cover, base64 string concealment of the C2 endpoint, detached child-process execution, and dynamic Function-constructor evaluation of remote content is a textbook supply-chain dropper.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "6.0.3"
            ],
            "modified_time": "2026-06-25T17:13:38Z",
            "sha256": "469c5ebe97d1e69d080295000d723febbb06050f65aed9a0f44a76fd707c0b1e",
            "id": "IN-MAL-2026-007523",
            "source": "amazon-inspector",
            "import_time": "2026-06-25T17:17:25.74133394Z"
        }
    ]
}

References

https://www.npmjs.com/package/chai-as-built/v/6.0.3

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / chai-as-built

Package

Name: chai-as-built; View open source insights on deps.dev
Purl: pkg:npm/chai-as-built

Affected ranges

Affected versions

6.*

6.0.3

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "chai-as-built-6.0.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-0sSyzQC796bfh/58OkYftg9gYMyl6/wQmXiQvOpfCf9UOo43FdO/gSV/jocENXHo2EoOigWCWwxydmmXz+CRZg==",
                "sha1": "f0d58f8299026707d5da4f0eeaa48b2948b0afcb"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "lib/initializeCaller.js",
            "tlsh": "f111008d61fc200c056512e6b22f18116022e4273d4ad4e47adc83470f9627fbd536df",
            "sha256": "2a41c6b7c5e256d70f884c613c6412ef73d86f8cd8a65afe6afb64fabaf4e022"
        },
        {
            "path": "package.json",
            "tlsh": "ce019c60ce788e2300ed25825c2a0643ba618c13a928fc1932d7512c0f9d5bf11bf21d",
            "sha256": "84b50d037c4b56f843ff1d30de7efa226bdfa6e95b6c8149d91d785255770e20"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-built/MAL-2026-6465.json"