MAL-2026-6994

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-presentation/MAL-2026-6994.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6994
Published
2026-07-08T16:35:25Z
Modified
2026-07-08T17:16:46.127871595Z
Summary
Malicious code in chai-presentation (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (854dd2b8a43d8936f153925a2af8ee8de5d18647149aeba69fb0329eaa461b93)

The package presents itself as a chai assertion plugin but its main entrypoint index.js contains an appended IIFE that, on every require, performs an HTTPS GET against https://www.jsonkeeper.com/b/PC5CK, takes the cookie field from the JSON response, wraps it in new Function('require',...), and invokes it with the package's own require — giving the fetched payload full Node privileges in the importing process. index.js additionally spawns a detached, stdio-ignored Node child running lib/caller.js, which loops an HTTP GET against a URL constructed from lib/config.js and, on a 404 with a token body, evaluates that body via new (Function.constructor)('require', res.token) — a second, backgrounded remote-code-execution channel that survives the parent. The advertised chai helpers and an unrelated bundled 'flowlimit' lib/ tree serve as cover for the loaders. jsonkeeper.com is a mutable paste-style host, so the delivered payload can change silently without a package update.

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-08T16:35:25Z",
            "id": "IN-MAL-2026-008157",
            "source": "amazon-inspector",
            "import_time": "2026-07-08T17:01:35.139009961Z",
            "sha256": "854dd2b8a43d8936f153925a2af8ee8de5d18647149aeba69fb0329eaa461b93",
            "versions": [
                "0.0.1"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / chai-presentation

Package

Affected ranges

Affected versions

0.*
0.0.1

Database specific

indicators
{
    "evidence_files": [
        {
            "path": "index.js",
            "tlsh": "e7d1c1a839a7a0188523b1f5097fa416e177a1172029d9d8b5ecc2d00fddee89523dfa",
            "sha256": "e007edbe8b5db9c0904ba7cbb3ee8d0013bb28273b3733b32ad9e641ca16c006"
        },
        {
            "path": "lib/caller.js",
            "tlsh": "8721245628fa31190726a8deca4bd4313426f5332626d0c0f69c87861fe789e96b77dc",
            "sha256": "e8a73ca951f7af5663bbbff07c9d57b43c1649109ddaf49a7364d2e5b300e8fa"
        },
        {
            "path": "package.json",
            "tlsh": "0c0145a4cc78dd7309da22a1982e4157a1619d074c18fc0e33e6422c8f8c86f21bea6d",
            "sha256": "bbb115ded260f2d6a9fc4c7b9404a837dcd83f3147719f78b9c22de07188076d"
        }
    ],
    "package_integrity": [
        {
            "filename": "chai-presentation-0.0.1.tgz",
            "hashes": {
                "sha1": "8e427038ff070bc0760db50772783101366319c2",
                "sha512_sri": "sha512-M8CtXM0bZ2+zuPPFxL0nTmv/b+Dqw621rnBPIlR2mhZRLoefK4RnBSBzBKZrTVAec4fwJwoodhx1KyfOiwrmEw=="
            }
        }
    ]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-presentation/MAL-2026-6994.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code"
    }
]