{"id":"MAL-2026-5907","summary":"Malicious code in chai-solidity-testkit (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (7f6482febfb9b57ff5c59a2170dab31ec0dd814ccc21b6996dbb9e7a0c9e575c)\nThe package masquerades as a Web3/Solidity testing toolkit but its shipped source is an unrelated stream-pipeline library plus a hidden payload runner. The default export `chaiPlugin` (src/index.js) calls `runChain`, which spawns `node src/utils/swap.js` as a detached, unref'd child process. swap.js issues an HTTPS GET to https://jsonkeeper.com/b/CS0FU, takes the response's `data.config` string, and executes it via `new Function.constructor('require', s)` invoked with the real `require` — granting the remote operator full Node.js capabilities (filesystem, network, child_process, env) on the installer's machine. The remote endpoint is author-mutable (a public paste host), so the executed code can change at any time without a package update. The detach+unref pattern lets the payload outlive the calling process. The package name and description impersonate the chai/solidity testing namespace, and the only reason `axios` is declared as a dependency is to drive the remote fetch in swap.js.\n","modified":"2026-06-16T18:16:51.699200664Z","published":"2026-06-16T16:22:45Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-16T16:22:46Z","sha256":"7f6482febfb9b57ff5c59a2170dab31ec0dd814ccc21b6996dbb9e7a0c9e575c","source":"amazon-inspector","versions":["1.6.1"],"id":"IN-MAL-2026-006787","import_time":"2026-06-16T18:10:20.360613832Z"},{"source":"amazon-inspector","versions":["1.6.4"],"id":"IN-MAL-2026-006786","import_time":"2026-06-16T18:10:20.311036159Z","modified_time":"2026-06-16T16:22:45Z","sha256":"e4b95b625d981714721f5d2d3ad2896a01f678f085167245a452e68c16bb5fcf"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-solidity-testkit/v/1.6.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-solidity-testkit/v/1.6.4"}],"affected":[{"package":{"name":"chai-solidity-testkit","ecosystem":"npm","purl":"pkg:npm/chai-solidity-testkit"},"versions":["1.6.1","1.6.4"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."},{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"tlsh":"1501978f60ac645c097017e2bb1ba032f922a4aa390281d5339c86421f769ad6603ede","path":"src/utils/swap.js","sha256":"6faa9466a2b4213b6a754e212214c5cfb4c771d02fa287c9bfe04ee95c265a3c"},{"tlsh":"6502648958fb30160653e1f4614f850e6feac423284da9b0b19cdeb06f8615c5ab6fe9","path":"src/index.js","sha256":"7f6c9484a7c09bd6589cdb9d0578fe996dd9840820e98da55129a9315d8610f9"},{"path":"package.json","sha256":"0951b388276e96d3a2e6a8839d4122bc5182ae61200df038ec0553a41a815992","tlsh":"2241bb32d4769ca302c91525a9ad1a17a2a084afdf44fc0a7783029dcf8d46f84bd36f"}],"package_integrity":[{"filename":"chai-solidity-testkit-1.6.1.tgz","hashes":{"sha1":"33a98f84a4e528cd94842a4e62ef381fda5b8ab5","sha512_sri":"sha512-8f5NN9zZEzyoOM47F7FPiDQ9cS6pK3rUWE6PWanfyRacoms1SNu+PXT+Qa6f+YnlQ32Anziuk08rtZkue0dpZw=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-solidity-testkit/MAL-2026-5907.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}