{"id":"MAL-2026-10504","summary":"Malicious code in chai-as-verified (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (fece219fd09d83bc6a41135483cf3ce8cd2769c22e7776c22d0eb97d65852dd5)\nPackage name typosquats chai-as-promised while its package.json advertises unrelated logger/vulnerability-management metadata. On require, index.js invokes a middleware() that spawns a detached `node` child process running lib/initializeCaller.js with stdio ignored and unref()'d. That child decodes a base64-hidden URL (https://tomato-brunhilda-40.tiiny.site/index.json) from a shadowed `process.env` object, fetches the JS response with a base64-decoded header name `x-secret-key`, and executes it via `new Function.constructor(\"require\", response)(require)`, granting the remote payload full Node require access. The C2 URL, header name, and header value are stored as base64 to hide them from static analysis.\n","modified":"2026-07-13T22:31:56.856037858Z","published":"2026-07-13T22:10:30Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-07-13T22:10:30Z","sha256":"fece219fd09d83bc6a41135483cf3ce8cd2769c22e7776c22d0eb97d65852dd5","source":"amazon-inspector","versions":["7.1.5"],"id":"IN-MAL-2026-010346","import_time":"2026-07-13T22:21:57.465408608Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-as-verified/v/7.1.5"}],"affected":[{"package":{"name":"chai-as-verified","ecosystem":"npm","purl":"pkg:npm/chai-as-verified"},"versions":["7.1.5"],"database_specific":{"indicators":{"evidence_files":[{"tlsh":"9511c08e61fc200c046512e6b62f18126021e8673d86d5e47acc835b1f9567f7d936df","path":"lib/initializeCaller.js","sha256":"23436f977c9bbe6d302f0f94e191b3dfd938e5a0417ec098d38b60b0ed0cb14f"},{"sha256":"cf56691d128cbabaac3fba4c1f6d3d32b7292fdf79b8d3dfa827dd4ca9ac4653","tlsh":"02019c60ce788e2304ed25825c2e064376618c135928fc1d32d7512c0fad5bf11bf21d","path":"package.json"}],"package_integrity":[{"filename":"chai-as-verified-7.1.5.tgz","hashes":{"sha1":"b8b12a16da62f891f09f5356c4b41a67568ae83d","sha512_sri":"sha512-V5esP/m2nkkYCfR/IMT9tWTylt5y2QLyJOA5ecS2R5Q7fOGmCQ1jK65UX9oihxXcGYetrtll6VReblwwaQ7f4Q=="}}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-verified/MAL-2026-10504.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}