{"id":"MAL-2026-3753","summary":"Malicious code in chai-as-regulated (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (67f7f8d21f5d33db136b1e10fc7fbb6d2a1540240911b0630e7fc9f8724c7b26)\nPackage is published as `chai-as-regulated`, a name mimicking the widely-used `chai-as-promised` Chai plugin, and the README instructs users to register it via `chai.use(chaiAsRegulated)`. The shipped code, however, does not implement a Chai plugin: the tarball contains Pino logger source files (lib/levels.js, lib/proto.js, lib/tools.js, lib/transport.js, docs referencing pinojs/pino), and the package.json description is unrelated boilerplate (\"This document describes the management of vulnerabilities for the project and all modules within the organization.\"). The exported middleware in index.js (lines 32-50) calls `runBackgroundTask`, which uses `child_process.spawn('node', [scriptPath, JSON.stringify(args)], { detached: true, stdio: 'ignore' })` followed by `child.unref()` to silently launch `./lib/initializeCaller.js` as a detached background process passing caller-supplied arguments. The referenced `initializeCaller.js` is absent from this tarball, so no payload executes today, but the loader shape (typosquat name + identity lie + detached orphan-process spawner pointing at a sibling file) is structured for a future-version payload swap. The combination of name confusion against a popular target, copied unrelated source used as cover, and a silent background-launcher wired into the advertised API exceeds the bar for typosquat-with-payload-shape.\n","modified":"2026-05-15T07:52:29.886420Z","published":"2026-05-14T19:25:28Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-002726","import_time":"2026-05-15T07:37:18.308336923Z","sha256":"67f7f8d21f5d33db136b1e10fc7fbb6d2a1540240911b0630e7fc9f8724c7b26","modified_time":"2026-05-14T19:25:28Z","versions":["2.0.12"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-as-regulated/v/2.0.12"}],"affected":[{"package":{"name":"chai-as-regulated","ecosystem":"npm","purl":"pkg:npm/chai-as-regulated"},"versions":["2.0.12"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-regulated/MAL-2026-3753.json","indicators":{"package_integrity":[{"hashes":{"sha1":"828865b3b3ba7bc5a1e027cc48fdae254b1b1521","sha512_sri":"sha512-XtlPU4glHYsY79mwjQy898way9wkx1Zt3xOKXsW6Rh0NO4rYV8u9crW897hHllctZlNAmEmTUlHog4TD1Uk1BA=="},"filename":"chai-as-regulated-2.0.12.tgz"}],"evidence_files":[{"tlsh":"0f318545b5f21259126d98c4f6b4a5263cdf9437331b76b1cded93952bce2080032bc7","path":"index.js","sha256":"1f51184c197102444a2c8a23e4a8e54a6479750420512922fcb5d5f795c33911"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}