MAL-2026-6544
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-persisted/MAL-2026-6544.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6544
- Published
- 2026-06-27T02:32:25Z
- Modified
- 2026-06-27T03:31:39.039006939Z
- Summary
- Malicious code in chai-as-persisted (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (5cf9c49450e0fa0d47be1b6ae27991f844868ff6c435d2082948b5feae862709)
The package's postinstall script (
npm run smoke:pino) executes index.js, which spawns a detachednode lib/initializeCaller.jschild. That module hides the C2 URL in base64 strings stored under a fabricated localprocess.envobject (keysDEV_API_KEY,DEV_SECRET_KEY,DEV_SECRET_VALUE) to defeat trivial string scanning. At install time itatob()-decodes the URL tohttps://www.ipregionchecker.org/api/ip-check-encrypted/3aeb34a37, POSTs to it via axios, and passes the response body tonew Function.constructor('require', response), invoking it withrequire— executing attacker-controlled JavaScript with full Node module access on the installer's machine. The detachedchild.unref()keeps execution alive afternpm installreturns. The package namechai-as-persistedis a one-edit impersonation of the widely-usedchai-as-promised; the shipped code is unrelated to chai (it pretends to be a pino-style logger middleware in index.js) and the package description/keywords (logger/stream/json) further misrepresent its purpose. This is a deliberate install-time RCE dropper distributed via a typosquat against chai-as-promised. - Database specific
{ "malicious-packages-origins": [ { "versions": [ "4.2.8" ], "source": "amazon-inspector", "modified_time": "2026-06-27T02:32:37Z", "sha256": "5cf9c49450e0fa0d47be1b6ae27991f844868ff6c435d2082948b5feae862709", "id": "IN-MAL-2026-007675", "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "import_time": "2026-06-27T03:13:09.022299524Z" }, { "versions": [ "6.1.9" ], "ranges": [ { "type": "SEMVER", "events": [ { "introduced": "0" } ] } ], "modified_time": "2026-06-27T02:32:25Z", "sha256": "611d869aaf9d1a8b945c83cc9982fd76cd49a26563d444af3cee98ccb5b6fbda", "id": "IN-MAL-2026-007674", "source": "amazon-inspector", "import_time": "2026-06-27T03:13:08.872578262Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / chai-as-persisted
Package
- Name
- chai-as-persisted
- View open source insights on deps.dev
- Purl
- pkg:npm/chai-as-persisted
Affected ranges
- Type
- SEMVER
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Database specific
cwes
[
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
},
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
]
indicators
{
"package_integrity": [
{
"filename": "chai-as-persisted-4.2.8.tgz",
"hashes": {
"sha512_sri": "sha512-OF+BlgV0u9rUuZYMvemtJ0jtoutqeNa8QgGbcduKIJEtdzrvqyHPkXKiBLwOBjOV6NQZL/j/0XmtVd9hDuBy+Q==",
"sha1": "f81cd3b1b4fa7eb57ab85af8d81f00ae94b10c89"
}
}
],
"evidence_files": [
{
"path": "lib/initializeCaller.js",
"tlsh": "4d119c4d71f82008042151e5b62f14126025e4673d8ad5e4bacc834b1fa667fbd53adf",
"sha256": "76ca537732f161ae4d3a78b876390ddbab16e001c392a74009b31fb91ce4f89b"
},
{
"path": "package.json",
"tlsh": "d0019720debc4e2305ed25860c2a06037a615c175528fc2833e7922c0f9d5bb00ff22e",
"sha256": "f061b9cb90a2c542ba90a73748290ff65dc070f811f75772bbfd0cc4453e0cbb"
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-persisted/MAL-2026-6544.json"