{"id":"MAL-2026-5904","summary":"Malicious code in chai-plugin (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (67e08b149ec19ba5622783cfdf864741264b5f6cbe5f56a15c8553c6f1ab5106)\nPackage name `chai-plugin` impersonates the popular `chai` assertion library — README and copyright headers reference chaijs.com / chaijs/chai, but the homepage is the lookalike `chaiplugin.com` and the author is unrelated to chai's real maintainer. Two obfuscator.io payloads (hex-named identifiers, rotated string array with a base64+URI custom decoder, control-flow obfuscation, arithmetic self-check) are glued onto otherwise-legitimate chai source. (1) `lib/chai/utils/assertion.js` builds a URL with a query parameter, calls `require('http'|'https').get(url,...)`, accumulates the response body, then executes the bytes via `new Function('require', body)(require)` — an import-time dropper that runs whatever JS the remote server currently serves, with full Node `require` capability. (2) `lib/chai.js` destructures `spawn` from `child_process` and unconditionally invokes a top-level function that runs `spawn(\u003ccmd\u003e, [path.join(__dirname, \u003csibling\u003e), JSON.stringify(opts)], {detached: true, stdio:...}).unref()`, backgrounding a malicious worker that survives the parent process. Both fire at module load via `index.js -\u003e require('./lib/chai')`. The combination of typosquat name, obfuscation smuggled onto legitimate source, network-fetch-and-eval, and detached subprocess launch is a malicious supply-chain dropper.\n","modified":"2026-06-16T18:16:51.540720152Z","published":"2026-06-16T16:22:46Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-16T18:10:20.479391284Z","source":"amazon-inspector","versions":["4.5.3"],"sha256":"67e08b149ec19ba5622783cfdf864741264b5f6cbe5f56a15c8553c6f1ab5106","id":"IN-MAL-2026-006789","modified_time":"2026-06-16T16:22:47Z"},{"versions":["4.5.5"],"source":"amazon-inspector","import_time":"2026-06-16T18:10:20.819692603Z","sha256":"d8288900390b603834b85d1945f829d1c5386bd7cbca56ded07b27557ddb4d0f","id":"IN-MAL-2026-006796","modified_time":"2026-06-16T16:22:54Z"},{"import_time":"2026-06-16T18:10:20.588614063Z","source":"amazon-inspector","versions":["4.5.2"],"sha256":"955522a906103bb6eae62759721a35b120cdaffd1d2747a2f1b73b37c6d2d1db","id":"IN-MAL-2026-006792","modified_time":"2026-06-16T16:22:50Z"},{"import_time":"2026-06-16T18:10:20.412411486Z","source":"amazon-inspector","versions":["4.5.4"],"sha256":"9bbe8cb82be82f91cf6332988d29fcdd4e7574f766af4d524ce5c08edc9f94f6","id":"IN-MAL-2026-006788","modified_time":"2026-06-16T16:22:46Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-plugin/v/4.5.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-plugin/v/4.5.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-plugin/v/4.5.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-plugin/v/4.5.4"}],"affected":[{"package":{"name":"chai-plugin","ecosystem":"npm","purl":"pkg:npm/chai-plugin"},"versions":["4.5.3","4.5.5","4.5.2","4.5.4"],"database_specific":{"indicators":{"package_integrity":[{"filename":"chai-plugin-4.5.3.tgz","hashes":{"sha1":"8b522378612e9a54014d0653ba22e739172f3387","sha512_sri":"sha512-S6z2OB197s00jsek6ikpXeEmdFBbgCTaQuZhiOaCxJk/p8XzfY1bHDgl/N3z98pFuqieglEBedoY+hlwau90Ig=="}}],"evidence_files":[{"path":"package.json","tlsh":"8f214760cd689eb30ada12d4342e001371318e434e54fc0d37aa274d0f9e46f357da5d","sha256":"03c3bd14626efeb31b5a90d20a3115c8bcad2d98c1d2eb638d47c70044fe91a3"},{"path":"lib/chai/utils/assertion.js","tlsh":"cb81105193842ac4a69faeff370370f4e06558523e8605eab800bd68fec2728d7c5770","sha256":"f8cba23b01fb2fd480d15013c87ec8059bb5ff105741bb40e2af046b1e4a0572"},{"path":"lib/chai.js","tlsh":"72a165953ac06da153079efb773ba5d4e405cecf7289449d8120b590aee192ecd92f32","sha256":"ba7ecd720b416756efb4f433f96bded0b8472bdbce535ebc129e39e5c6ac90c3"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-plugin/MAL-2026-5904.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}