{"id":"MAL-2026-4515","summary":"Malicious code in chai-val (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (515e313c5420dfe9edcb88d61079fa80dbf3539da465572fde5ece42ba6ed748)\nThe package masquerades as a pino-logger helper (file structure, exports, and keywords are copied from pino) but its main entry exports a middleware that spawns `node lib/caller.js` as a detached child process. caller.js performs an HTTP GET to https://jsonkeeper.com/b/XRGF3 and passes the response's `.cookie` field directly into `new Function.constructor('require', s)`, invoking it with the host's `require` — granting the fetched script full Node.js capabilities (filesystem, network, child_process, env). The destination URL is additionally stored base64-encoded as `DEV_API_KEY: \"aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iL1hSR0Yz\"`, an obfuscation of the same C2 endpoint. jsonkeeper.com is an anonymous, mutable paste host: today's content can be replaced by the operator at any moment without republishing the npm package. Any developer who installs chai-val and invokes the advertised middleware export triggers arbitrary remote code execution under their Node process.\n","modified":"2026-05-26T06:02:19.583604297Z","published":"2026-05-21T12:36:47Z","database_specific":{"malicious-packages-origins":[{"sha256":"515e313c5420dfe9edcb88d61079fa80dbf3539da465572fde5ece42ba6ed748","modified_time":"2026-05-21T12:36:47Z","source":"amazon-inspector","import_time":"2026-05-26T05:51:21.246948501Z","id":"IN-MAL-2026-003806","versions":["1.1.9"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-val/v/1.1.9"}],"affected":[{"package":{"name":"chai-val","ecosystem":"npm","purl":"pkg:npm/chai-val"},"versions":["1.1.9"],"database_specific":{"cwes":[{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-val/MAL-2026-4515.json","indicators":{"evidence_files":[{"path":"lib/caller.js","sha256":"d81e48769a830cd3384a4b8977ade12e5ab7583eb7cca84e7ab966d15871bd71","tlsh":"f8017b8a30fa605c015510f64b1fa4327011e4273c49e5c5378c87524fea9ae6963aed"},{"path":"index.js","sha256":"2956b023858d706a5e241cd28b845088e5f414c5f70bd5d8cb73cb427d081065","tlsh":"5d213c81b9f11188065cd9c8b569e53a38e3c4377207b9b0e9ec87862bcf2080272ad7"}],"package_integrity":[{"hashes":{"sha1":"7ea13a8f58ae077a9cfe93e18ba1f8d1724f06c4","sha512_sri":"sha512-c/hIx+j3aSjrtdVF9zmb0IIzjrj8SX8uaXF37bobU8zI63RTRp4WIN6JYQShILIh8U6Hpzl3z78fC6hW9Flplg=="},"filename":"chai-val-1.1.9.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}