{"id":"MAL-2026-10054","summary":"Malicious code in chai-smart (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (28e7b8eaee41f8a9717775967be05791e0daf3f5f3e5070ac28c6a2f544fcc02)\nThe package presents a pino-like logger API but its exported middleware spawns a detached `node` child process running lib/initializeCaller.js. That script base64-decodes a hardcoded URL (https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df) stored in a fake `process.env` object, POSTs the full `process.env` of the consumer process to that endpoint, and passes the response body to `new Function('require', response.data)` invoked with the package's `require`. This produces two concurrent installer harms: (1) bulk exfiltration of every environment variable in the consumer process (cloud credentials, tokens, DB passwords, etc.) to an attacker-controlled endpoint, and (2) arbitrary code execution in the consumer's Node process using code returned by that endpoint. Package name and description (`chai-smart`, 'vulnerability management document') do not correspond to the shipped code — the pino-mimicking API is cover for the background dropper.\n","modified":"2026-07-09T16:31:54.507970096Z","published":"2026-07-09T15:31:31Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-009122","sha256":"28e7b8eaee41f8a9717775967be05791e0daf3f5f3e5070ac28c6a2f544fcc02","versions":["2.3.5"],"modified_time":"2026-07-09T15:31:31Z","source":"amazon-inspector","import_time":"2026-07-09T16:20:42.788191053Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-smart/v/2.3.5"}],"affected":[{"package":{"name":"chai-smart","ecosystem":"npm","purl":"pkg:npm/chai-smart"},"versions":["2.3.5"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-smart/MAL-2026-10054.json","indicators":{"package_integrity":[{"filename":"chai-smart-2.3.5.tgz","hashes":{"sha1":"87170c1699874b68f1befcadf75f7100e43c402c","sha512_sri":"sha512-fAFsBFm2ygqwjeVftBro02nyDsagswQih4X+VYdF0BiLgoTr1C2TDFNZHqRAL357AbHctupTuSLEo5Edzdt24g=="}}],"evidence_files":[{"sha256":"fc61b0ed62e346bfbb5e1e093e475d8b3065247dc8d315f0ea4e7cafd9661bad","tlsh":"f921f38e15fe101d066751e6bb2f24027022e8133946d4a47bcc835b1fc966e99936df","path":"lib/initializeCaller.js"},{"sha256":"1f51184c197102444a2c8a23e4a8e54a6479750420512922fcb5d5f795c33911","tlsh":"0f318545b5f21259126d98c4f6b4a5263cdf9437331b76b1cded93952bce2080032bc7","path":"index.js"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}