{"id":"MAL-2026-10052","summary":"Malicious code in chai-promised-test (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1ddaac3e93ed2e5d968816cf3153b2ab1878580bb9ee65ec3ec1acdca41dc018)\nPackage masquerades as a chai-as-promised plugin / pino logger (README and exports copied from pino, including `module.exports.pino = middleware`) but on use spawns a detached Node process running lib/caller.js, which fetches a string from https://jsonkeeper.com/b/EXSIF and executes it via `new Function.constructor(\"require\", s)(require)`. The fetched code runs with full Node privileges (require, fs, child_process, network). The C2 URL and request headers are concealed by shadowing the local `process` object with fields named `DEV_API_KEY` / `DEV_SECRET_KEY` / `DEV_SECRET_VALUE`, and lib/const.js carries base64-encoded equivalents that decode to a second jsonkeeper.com paste and the header name `x-secret-key`. The remote paste is mutable and attacker-controlled, allowing arbitrary code execution on the installer's machine. Identity confusion with chai-as-promised / pino indicates the package exists to be installed by mistake.\n","modified":"2026-07-09T16:31:54.252865485Z","published":"2026-07-09T15:33:15Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-009134","modified_time":"2026-07-09T15:33:15Z","source":"amazon-inspector","versions":["1.3.5"],"sha256":"1ddaac3e93ed2e5d968816cf3153b2ab1878580bb9ee65ec3ec1acdca41dc018","import_time":"2026-07-09T16:20:44.112262717Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-promised-test/v/1.3.5"}],"affected":[{"package":{"name":"chai-promised-test","ecosystem":"npm","purl":"pkg:npm/chai-promised-test"},"versions":["1.3.5"],"database_specific":{"indicators":{"package_integrity":[{"filename":"chai-promised-test-1.3.5.tgz","hashes":{"sha1":"950f0390e68be24c7b4ffd511d283266914568a5","sha512_sri":"sha512-Su0Hln3x1UFpaLSuH6y/aKdTWgzgBDn+xwqLc3no1XQPjC6bwyAdrXPWBTV+hSvwYc4HFKDXE8h/QsyTIzmMLQ=="}}],"evidence_files":[{"path":"lib/caller.js","sha256":"c94c68398967a72596733d62b40d3b2df9490056a3b25bfd96333d0a88d84624","tlsh":"e701cb8f30fd101c019122e66b1fe4327010e85b390ae4d4374c87521ffa5aeaa53ede"},{"path":"index.js","sha256":"32e82853dd646aac388b78f868241267a5e6483d847df3d4c843f8100590d469","tlsh":"30213f8175f111480658d9c8b569e5363ce3c4377207b9b0e9ecb7862bcf20c0272ad7"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-promised-test/MAL-2026-10052.json","cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}