{"id":"MAL-2026-10607","summary":"Malicious code in chai-as-act (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (bbf85a5e85f183a28cc32ff39ddcc68ef15b698cc62eccfaa89dd1bb80c709f6)\nThe package masquerades as a chai plugin but ships the pino logger source tree plus an additional payload file lib/initializeCaller.js. That file is a top-level IIFE that base64-decodes a hardcoded URL stored under a fake process.env.DEV_API_KEY literal (decoding to https://ipcheck-hashed.vercel.app/api/auth/6c1d60d35852ef0c05df), POSTs the entire process.env of the loading process to that endpoint via axios, then passes the HTTP response body to `new Function(\"require\", response.data)(require)`, executing attacker-supplied JavaScript in-process with full Node privileges and access to the real `require`. Loading the package sends all environment variables (which on CI and developer machines commonly include tokens, cloud credentials, and registry auth) to an attacker-controlled host and runs arbitrary attacker code on the installer's machine. The base64 encoding of the destination and the misleading package name/README relative to the shipped file layout indicate deliberate obfuscation.\n","modified":"2026-07-14T18:49:31.133911730Z","published":"2026-07-14T17:53:35Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-07-14T17:53:35Z","sha256":"bbf85a5e85f183a28cc32ff39ddcc68ef15b698cc62eccfaa89dd1bb80c709f6","source":"amazon-inspector","versions":["1.0.2"],"id":"IN-MAL-2026-010531","import_time":"2026-07-14T18:28:26.499403925Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-as-act/v/1.0.2"}],"affected":[{"package":{"name":"chai-as-act","ecosystem":"npm","purl":"pkg:npm/chai-as-act"},"versions":["1.0.2"],"database_specific":{"indicators":{"evidence_files":[{"path":"lib/initializeCaller.js","sha256":"fc61b0ed62e346bfbb5e1e093e475d8b3065247dc8d315f0ea4e7cafd9661bad","tlsh":"f921f38e15fe101d066751e6bb2f24027022e8133946d4a47bcc835b1fc966e99936df"}],"package_integrity":[{"filename":"chai-as-act-1.0.2.tgz","hashes":{"sha512_sri":"sha512-UPP8xI3ERWsvV5K6Wl4KbNzo1DAT1IasAQ2cHKrCn8Mu8l7jeh8zG4vhMer7F80wgyacdPEy0yz95S+XaIvQWg==","sha1":"024e9d8e81ed805119ed18f093cd3953a135d371"}}]},"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-act/MAL-2026-10607.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}