{"id":"MAL-2026-5748","summary":"Malicious code in chai-utils-test (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (64edd573a9e5fdef8dcde78f5b0c9fa00521f232b886be838104741d1e0535f7)\nPackage name 'chai-utils-test' impersonates the popular 'chai' assertion library and ships a cloned chai source tree. The declared main (index.js) calls a top-level launcher that spawns `node lib/chai/utils/assertion.js` as a detached child process with `stdio:'ignore'` and `child.unref()`, so the dropper survives the parent and produces no visible output. The child uses axios to GET https://statecheck.ddns.net/api/scanner.js (a dynamic-DNS host) with a base64-encoded `key=YWRtaW46c2VjcmV0MTIz` query parameter (likely a server-side gate for staged payload delivery), then runs the response body via `new Function('require', s)(require)` — granting the attacker-served code full Node `require()` access. The package also pre-installs a `global.atob` polyfill backed by `Buffer.from(x,'base64').toString('utf8')` in preparation for the fetched payload. Net effect: any developer or CI job that requires/imports this package executes attacker-controlled code from a mutable remote endpoint with full Node privileges.\n","modified":"2026-06-13T21:46:45.657194513Z","published":"2026-06-13T20:52:08Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-13T21:32:32.517448462Z","versions":["4.5.3"],"id":"IN-MAL-2026-006383","source":"amazon-inspector","modified_time":"2026-06-13T20:52:09Z","sha256":"18fced2e0d10d37dc3ca5a984ff8d36af0b1fb115b05a4a5378e2e5b42597332"},{"source":"amazon-inspector","versions":["4.5.0"],"id":"IN-MAL-2026-006389","sha256":"93585e9331720cf1478c8e7b95cf9ff62f512b41d3e7d3caf323bd9e16a97aeb","modified_time":"2026-06-13T20:52:17Z","import_time":"2026-06-13T21:32:32.833626999Z"},{"sha256":"ff4ec29ec510f5f0e3b662983bffec70d14d70c058493edfc2c7def8e0e6829a","versions":["4.5.4"],"id":"IN-MAL-2026-006393","import_time":"2026-06-13T21:32:32.976701894Z","modified_time":"2026-06-13T20:52:21Z","source":"amazon-inspector"},{"sha256":"2e1bdccf3a79722f18b4d6a1d48b8fc3331ebe7b4a394d3012a19d6c3455fbb8","versions":["4.5.1"],"id":"IN-MAL-2026-006386","import_time":"2026-06-13T21:32:32.702383186Z","modified_time":"2026-06-13T20:52:15Z","source":"amazon-inspector"},{"sha256":"64edd573a9e5fdef8dcde78f5b0c9fa00521f232b886be838104741d1e0535f7","versions":["4.5.5"],"id":"IN-MAL-2026-006391","import_time":"2026-06-13T21:32:32.902523756Z","modified_time":"2026-06-13T20:52:18Z","source":"amazon-inspector"},{"import_time":"2026-06-13T21:32:32.43545565Z","versions":["4.5.3"],"id":"IN-MAL-2026-006382","source":"amazon-inspector","modified_time":"2026-06-13T20:52:08Z","sha256":"c724301f7d4afa2a50e7ee6e6b500b2a7392ce13c895f03ab9206ea471636805"},{"sha256":"dca0b5258c13cba7ee0158286c3f7118c1b44f98657b1001878e9df190443ef7","versions":["4.5.2"],"id":"IN-MAL-2026-006388","import_time":"2026-06-13T21:32:32.809882835Z","modified_time":"2026-06-13T20:52:16Z","source":"amazon-inspector"},{"import_time":"2026-06-13T21:32:32.745940182Z","versions":["4.5.0"],"id":"IN-MAL-2026-006387","source":"amazon-inspector","modified_time":"2026-06-13T20:52:15Z","sha256":"fa34e73468624d4f80385acb5835a40410dde2339c1d41d6ab2ef32737aad941"},{"source":"amazon-inspector","versions":["4.5.4"],"id":"IN-MAL-2026-006385","sha256":"1bb5e339775a0025b7b7a3efbadd6cdcb73c30ad3eca45d8f55fc55e533cf72a","modified_time":"2026-06-13T20:52:14Z","import_time":"2026-06-13T21:32:32.656361912Z"},{"sha256":"4a37c97f62e1bde737d809c7727dc50bf52215caa7bb637e0d027a32fb2dbee0","versions":["4.5.1"],"id":"IN-MAL-2026-006384","import_time":"2026-06-13T21:32:32.562658463Z","modified_time":"2026-06-13T20:52:14Z","source":"amazon-inspector"},{"import_time":"2026-06-13T21:32:32.872404885Z","versions":["4.5.2"],"id":"IN-MAL-2026-006390","source":"amazon-inspector","modified_time":"2026-06-13T20:52:17Z","sha256":"6f0b254e6f88070926286a7daf4047309991498afa8b3b9ccd820673fff67619"},{"sha256":"8a46079174a90c2bb08586bcc66d2fc6f7ea6d71bb6385d1f623272b7df9fe16","versions":["4.5.5"],"id":"IN-MAL-2026-006392","import_time":"2026-06-13T21:32:32.937329696Z","modified_time":"2026-06-13T20:52:19Z","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-utils-test/v/4.5.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-utils-test/v/4.5.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-utils-test/v/4.5.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-utils-test/v/4.5.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-utils-test/v/4.5.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-utils-test/v/4.5.1"}],"affected":[{"package":{"name":"chai-utils-test","ecosystem":"npm","purl":"pkg:npm/chai-utils-test"},"versions":["4.5.3","4.5.0","4.5.4","4.5.1","4.5.5","4.5.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-utils-test/MAL-2026-5748.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"sha256":"f56fb93121b5e7fccd0df155347cf5b4f46e5abdcb45caf2efc79e490f575eaa","path":"lib/chai/utils/assertion.js","tlsh":"18e0abad3066604c0d313bf8830a443dd222e035384ac2d2b90c01d3493a4096263fe8"},{"sha256":"a1dd05076258a140f526125300412b0693462f4f0adcb50d7754af5676ff85ae","path":"index.js","tlsh":"8bf05cea43822a686d30bbf8c51a982666e2d131f14180b4f9fd40d27697b824237cbc"}],"package_integrity":[{"filename":"chai-utils-test-4.5.5.tgz","hashes":{"sha1":"24f1e1a68608f960496b595ab7c7487d62d6b500","sha512_sri":"sha512-JTFP4ytiy8rV9kwU44bPlpUApUrL9zQ2k/AospJF05KaW3ZvZWeNoTS9oc/anFTF9vkYeDFCPfRmX+a34jO3TA=="}}],"ips":["104.16.11.34","10.1.0.2","104.16.5.34"]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}