{"id":"MAL-2026-10043","summary":"Malicious code in chai-as-modified (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ab841cd3ab01bfcd1257a214489b41f10e236779e236a0672642777160245a9e)\nPackage name is a 1-2 character variant of the widely-used `chai-as-promised` plugin. The exported function — the entry point users pass to `chai.use(...)` per the copied pino README — invokes a `runBackgroundTask` helper that spawns a detached `node` subprocess (`detached: true`, `stdio: 'ignore'`, `child.unref()`) running a sibling `./lib/initializeCaller.js`, then returns a no-op pass-through middleware. The detached, unref'd child is decoupled from the parent test runner and outlives it — an out-of-band execution channel that has no relationship to the advertised purpose of a chai assertion plugin. The `lib/` directory ships a verbatim copy of unrelated pino source as decoy content, and the README is copied from pinojs/pino. In this specific tarball the referenced `./lib/initializeCaller.js` file is not present, so the fork currently errors out, but the launcher stub, name-confusion vector, decoy content, and covert-execution mechanism are all in place; the missing payload is consistent with a staged release or intended delivery via a sibling/subsequent publish.\n","modified":"2026-07-09T16:31:52.939217729Z","published":"2026-07-09T15:34:58Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-07-09T15:34:58Z","source":"amazon-inspector","versions":["6.0.4"],"import_time":"2026-07-09T16:20:45.342198505Z","id":"IN-MAL-2026-009145","sha256":"ab841cd3ab01bfcd1257a214489b41f10e236779e236a0672642777160245a9e"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-as-modified/v/6.0.4"}],"affected":[{"package":{"name":"chai-as-modified","ecosystem":"npm","purl":"pkg:npm/chai-as-modified"},"versions":["6.0.4"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-modified/MAL-2026-10043.json","indicators":{"evidence_files":[{"sha256":"1f51184c197102444a2c8a23e4a8e54a6479750420512922fcb5d5f795c33911","path":"index.js","tlsh":"0f318545b5f21259126d98c4f6b4a5263cdf9437331b76b1cded93952bce2080032bc7"}],"package_integrity":[{"filename":"chai-as-modified-6.0.4.tgz","hashes":{"sha512_sri":"sha512-pZVE0B3+ZBcBLup07BG7RtfwDOw+T+zeX7zXpYyxXgdxdBq1ETOCqI6rLe1AcMLV2A47dL8QbsNv2/B4OfClmA==","sha1":"55ab6b27cdb0e54c6a6546298dbed06e77f46c34"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}