{"id":"MAL-2026-4516","summary":"Malicious code in chain-async-test (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (37ce7d13d84d6293da0026d252448caac350f46ecf2206ee1eaeeff8b47d48c6)\nchain-async-test impersonates the legitimate chain-async library (copies its README, license, author 'Eugene Lazutkin / uhop', and full API surface; the declared repository github.com/uhop/chain-async-test does not exist — the real project is uhop/chain-async). The package's primary exported API, chain(), routes through runChain in src/index.js (lines 225-232), which spawns src/utils/swap.js as a detached, unref'd Node child process (stdio ignored). swap.js (lines 21-23) issues an axios GET to https://www.jsonkeeper.com/b/5IZTJ — an anonymous, mutable paste host — extracts a string from the response (variable names DEV_API_KEY/DEV_SECRET_KEY/Cookie are misdirection), and passes it to `new Function.constructor('require', s)` invoked with the package's own require. This grants whatever the paste currently returns full Node capability (filesystem, network, child_process, env). Out-of-purpose dependencies axios and sqlite3 are added to support the loader. Any consumer calling chain(...) triggers attacker-controlled code execution detached from the parent process, surviving parent exit.\n","modified":"2026-05-26T06:02:20.061373147Z","published":"2026-05-20T20:46:47Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-05-26T05:50:58.223504457Z","modified_time":"2026-05-20T20:46:47Z","id":"IN-MAL-2026-003613","source":"amazon-inspector","versions":["1.1.7"],"sha256":"37ce7d13d84d6293da0026d252448caac350f46ecf2206ee1eaeeff8b47d48c6"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chain-async-test/v/1.1.7"}],"affected":[{"package":{"name":"chain-async-test","ecosystem":"npm","purl":"pkg:npm/chain-async-test"},"versions":["1.1.7"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chain-async-test/MAL-2026-4516.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"package_integrity":[{"filename":"chain-async-test-1.1.7.tgz","hashes":{"sha1":"7f7e7ac05f33fff0d0490edf0fb3de36eb85ba47","sha512_sri":"sha512-1wWC1bRxPyfBkgoctda4ZsU16uNtd0AA8T3lVtW9QOLGITWMKWDlY6YvIXug+bzB4Y9NnFQn5P0WUnHDy3sJSQ=="}}],"evidence_files":[{"sha256":"4a0017b65e11fcd09a3fe9a33ef4a08712ce4330e2eb03eb7d0c4ef5a311d8e5","path":"src/utils/swap.js","tlsh":"2601978f70ac545c09b013e6bb2be436f522b56a390281d0339c86421f769a96653eee"},{"sha256":"775d1927920167b419d7e774578160d010de5190856b1339bf1f3b42cc03273a","path":"src/index.js","tlsh":"9902649958fb30160653e1f4614f850e6fe9c423284da9b0b19cdeb06f8605c5ab6fe9"},{"sha256":"8deb2e6ec9bb8a21f322dbee1356b77fb6c484218bba4a73f159402c097e71be","path":"package.json","tlsh":"2f418d32d4729c9306c51565f8ad1a1762a0886bcf44fd0b778602accf4e06f94bc36f"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}