{"id":"MAL-2026-5905","summary":"Malicious code in chai-plugin-helper (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (ddf8b1cc2e3c780dc0ac44e7691f14f2031f0aca1e1c207f1c15c0815471358b)\nchai-plugin-helper poses as a chai plugin and ships a verbatim copy of chai's public API (index.js, lib/chai.js, expect/should/assert exports, version string '4.3.8', description copied from chai) so it functions as a drop-in replacement. On require('chai-plugin-helper'), index.js line 8 spawns a detached background `node` process that runs lib/chai/utils/assertion.js: `const child = spawn(\"node\", [assertion, JSON.stringify(args)], { detached: true, stdio: \"ignore\" })`. assertion.js is obfuscator.io-encoded with a rotated 31-entry string array decoded via a base64+URI-decode chain and hex-named identifiers (_0x479d3b, _0x4a30, etc.). After deobfuscation, the file performs an HTTP(S) GET to a URL built from the encoded constants and passes the response body into `new Function(_0x154837[...],_0x375b9e)` invoked with the installer's `require` — executing attacker-controlled remote code with full Node privileges. The copyright header has been altered to 'Anton Lane' while the rest of chai's source is copied verbatim, so installers see a working assertion library and do not notice the dropper running in the background. Combination of namespace impersonation, drop-in API, obfuscation specifically wrapping the fetch+exec path, and remote-code execution at require-time is unambiguous supply-chain attack.\n","modified":"2026-06-16T18:16:51.322483728Z","published":"2026-06-16T16:32:26Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-16T16:32:27Z","source":"amazon-inspector","id":"IN-MAL-2026-006798","versions":["1.7.5"],"sha256":"1fa6d8a2f11a6c11671dc44321aa39d39c989ff466f328a5b04039ad5f1d5bbd","import_time":"2026-06-16T18:10:20.956906003Z"},{"modified_time":"2026-06-16T16:32:31Z","source":"amazon-inspector","id":"IN-MAL-2026-006800","versions":["1.7.3"],"sha256":"3d742faa5ee42e676405c26b997801e84fd9b113d1f6c63d66848460eec6f1f0","import_time":"2026-06-16T18:10:21.035986231Z"},{"modified_time":"2026-06-16T16:32:26Z","source":"amazon-inspector","id":"IN-MAL-2026-006797","versions":["1.7.6"],"sha256":"d0f3dcd179bd9b9cde43861ed9227050facb703cd3205b0aef4673f3c2db6abb","import_time":"2026-06-16T18:10:20.877917514Z"},{"modified_time":"2026-06-16T16:32:27Z","source":"amazon-inspector","id":"IN-MAL-2026-006799","versions":["1.7.4"],"sha256":"ddf8b1cc2e3c780dc0ac44e7691f14f2031f0aca1e1c207f1c15c0815471358b","import_time":"2026-06-16T18:10:20.996135869Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-plugin-helper/v/1.7.5"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-plugin-helper/v/1.7.3"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-plugin-helper/v/1.7.6"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-plugin-helper/v/1.7.4"}],"affected":[{"package":{"name":"chai-plugin-helper","ecosystem":"npm","purl":"pkg:npm/chai-plugin-helper"},"versions":["1.7.5","1.7.3","1.7.6","1.7.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-plugin-helper/MAL-2026-5905.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature.","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"indicators":{"evidence_files":[{"sha256":"f8cba23b01fb2fd480d15013c87ec8059bb5ff105741bb40e2af046b1e4a0572","path":"lib/chai/utils/addAssertion.js","tlsh":"cb81105193842ac4a69faeff370370f4e06558523e8605eab800bd68fec2728d7c5770"},{"sha256":"636beba9ab6fda122746cf069c0a90e73953c94c883f46c49b35f99123ade1ac","path":"index.js","tlsh":"4ef0dcfa02c1aa286d31bbf18007442623e3c172f24040a8fafd90d26657b835233cbd"}],"package_integrity":[{"filename":"chai-plugin-helper-1.7.5.tgz","hashes":{"sha1":"6c40c7cbbec17cf15a05a4c6d4a87a54b1b037ff","sha512_sri":"sha512-1hORJEsAq+/uJNelWGivmO3NoXiqF3FbvLwcJAdVkOzKv22uXjdA/N2QyCm0Y3kzN2lwg5rNFR9nnw1pMhmYGQ=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}