-= Per source details. Do not edit below this line.=-
The package presents itself as a chai assertion plugin but its main entrypoint index.js contains an appended IIFE that, on every require, performs an HTTPS GET against https://www.jsonkeeper.com/b/PC5CK, takes the cookie field from the JSON response, wraps it in new Function('require',...), and invokes it with the package's own require — giving the fetched payload full Node privileges in the importing process. index.js additionally spawns a detached, stdio-ignored Node child running lib/caller.js, which loops an HTTP GET against a URL constructed from lib/config.js and, on a 404 with a token body, evaluates that body via new (Function.constructor)('require', res.token) — a second, backgrounded remote-code-execution channel that survives the parent. The advertised chai helpers and an unrelated bundled 'flowlimit' lib/ tree serve as cover for the loaders. jsonkeeper.com is a mutable paste-style host, so the delivered payload can change silently without a package update.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-08T16:35:25Z",
"id": "IN-MAL-2026-008157",
"source": "amazon-inspector",
"import_time": "2026-07-08T17:01:35.139009961Z",
"sha256": "854dd2b8a43d8936f153925a2af8ee8de5d18647149aeba69fb0329eaa461b93",
"versions": [
"0.0.1"
]
}
]
}{
"evidence_files": [
{
"path": "index.js",
"tlsh": "e7d1c1a839a7a0188523b1f5097fa416e177a1172029d9d8b5ecc2d00fddee89523dfa",
"sha256": "e007edbe8b5db9c0904ba7cbb3ee8d0013bb28273b3733b32ad9e641ca16c006"
},
{
"path": "lib/caller.js",
"tlsh": "8721245628fa31190726a8deca4bd4313426f5332626d0c0f69c87861fe789e96b77dc",
"sha256": "e8a73ca951f7af5663bbbff07c9d57b43c1649109ddaf49a7364d2e5b300e8fa"
},
{
"path": "package.json",
"tlsh": "0c0145a4cc78dd7309da22a1982e4157a1619d074c18fc0e33e6422c8f8c86f21bea6d",
"sha256": "bbb115ded260f2d6a9fc4c7b9404a837dcd83f3147719f78b9c22de07188076d"
}
],
"package_integrity": [
{
"filename": "chai-presentation-0.0.1.tgz",
"hashes": {
"sha1": "8e427038ff070bc0760db50772783101366319c2",
"sha512_sri": "sha512-M8CtXM0bZ2+zuPPFxL0nTmv/b+Dqw621rnBPIlR2mhZRLoefK4RnBSBzBKZrTVAec4fwJwoodhx1KyfOiwrmEw=="
}
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-presentation/MAL-2026-6994.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]