MAL-2026-6497

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-synced/MAL-2026-6497.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6497

Published

2026-06-26T02:51:34Z

Modified

2026-06-26T03:31:24.762021558Z

Summary

Malicious code in chai-as-synced (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7bc0ee3e6a8341e046b84880f9faf0a4750f4a261a791b95d1267066d7828071)

Package name 'chai-as-synced' impersonates the well-known 'chai-as-promised'. On require, index.js spawns a detached, stdio-ignored Node child running lib/initializeCaller.js. That script decodes a base64-obfuscated URL (https://amethyst-lorrin-26.tiiny.site/index.json) and an 'x-secret-key' header literal stored inside a fake local process.env object, performs an HTTPS GET to that anonymous static-hosting endpoint, and passes the returned 'cookie' field to new Function.constructor(...) invoked with require injected, retried up to 5 times. The fetched JavaScript runs in the installer's Node process with full require access. The destination obfuscation, detached/unref'd child, and hidden stdio together indicate a covert loader; the declared dependencies (sqlite3, request, axios) and package keywords do not match the advertised purpose.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "6.0.3"
            ],
            "modified_time": "2026-06-26T02:51:34Z",
            "sha256": "7bc0ee3e6a8341e046b84880f9faf0a4750f4a261a791b95d1267066d7828071",
            "id": "IN-MAL-2026-007582",
            "source": "amazon-inspector",
            "import_time": "2026-06-26T03:14:43.456153823Z"
        }
    ]
}

References

https://www.npmjs.com/package/chai-as-synced/v/6.0.3

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / chai-as-synced

Package

Name: chai-as-synced; View open source insights on deps.dev
Purl: pkg:npm/chai-as-synced

Affected ranges

Affected versions

6.*

6.0.3

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-+p9JYFO2tMYylZTW6b71Y9N5u5sGHtz31+ampp7X86TOfJtSJZ/L2yoIKc7u/VW2zzWmkQPNiXD0N3ENL6vtxQ==",
                "sha1": "23bd6fe3dd5432840fef212a69140478da55c017"
            },
            "filename": "chai-as-synced-6.0.3.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "6e019c60ce788e2304ed25824c2a064376619c13a928fc1932db512c0f9d5bf05ff26d",
            "sha256": "3653595b1ec1c3c78d9489b77c5cc5f43370481807db71b2873d78cc1be56896"
        },
        {
            "path": "lib/initializeCaller.js",
            "tlsh": "f111008d61fc200c056512e6b22f18116022e4273d4ad4e47adc83470f9627fbd536df",
            "sha256": "2a41c6b7c5e256d70f884c613c6412ef73d86f8cd8a65afe6afb64fabaf4e022"
        },
        {
            "path": "index.js",
            "tlsh": "0f318545b5f21259126d98c4f6b4a5263cdf9437331b76b1cded93952bce2080032bc7",
            "sha256": "1f51184c197102444a2c8a23e4a8e54a6479750420512922fcb5d5f795c33911"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-synced/MAL-2026-6497.json"