{"id":"MAL-2026-5928","summary":"Malicious code in chai-test-mocks (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (61a1bfd9f5d478d2cc7c947470544e99015a830dd5ecbb7ad8cdb54976c8d6ef)\nchai-test-mocks impersonates the legitimate chai-jest-mocks package (replicated README, reused CircleCI/coveralls badges pointing at chai-jest-mocks) but overrides module.exports to a dropper rather than the documented plugin. lib/index.js exports `chain = require('./matchers/beenTest')` while the original `module.exports = chaiJestMock` is left commented out. When a consumer follows the documented usage `chai.use(require('chai-test-mocks'))`, the exported `genMock` invokes `connectNet` in lib/matchers/beenTest.js, which calls `spawn('node', [src, JSON.stringify(dopt)], { detached: true, stdio: ['ignore'] })` and `parmas.unref()` to launch lib/matchers/beenOptions.js as a detached, persistent child process. beenOptions.js performs an HTTPS GET to https://www.jsonkeeper.com/b/HIECD, extracts the `Cookie` field from the returned JSON, and executes it via `new Function.constructor('require', result)` invoked with the real `require`, giving the fetched code full Node module access on the installer's machine. Because jsonkeeper.com is mutable third-party JSON storage with no integrity check, the operator can swap arbitrary post-exploitation code at any time. The function also returns an Express-style `(req,res,next)=\u003enext()` middleware to disguise the dropper as plumbing.\n","modified":"2026-06-16T22:31:49.111825157Z","published":"2026-06-16T22:17:12Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-006838","versions":["1.2.0"],"modified_time":"2026-06-16T22:17:12Z","import_time":"2026-06-16T22:17:36.348528073Z","sha256":"61a1bfd9f5d478d2cc7c947470544e99015a830dd5ecbb7ad8cdb54976c8d6ef","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-test-mocks/v/1.2.0"}],"affected":[{"package":{"name":"chai-test-mocks","ecosystem":"npm","purl":"pkg:npm/chai-test-mocks"},"versions":["1.2.0"],"database_specific":{"indicators":{"package_integrity":[{"hashes":{"sha1":"abfd1708f918fec605533f5a690ddb5fc3c4083f","sha512_sri":"sha512-X9ioIorp9f5IkdP8JYfpoSsaGzIBzXZrq3ZbIj+o4nclHAHTWHIoEglbO/90xxlyndDTcX296vM1cxawIpTqeg=="},"filename":"chai-test-mocks-1.2.0.tgz"}],"evidence_files":[{"tlsh":"ad017b9e3469e12c0eb012e9af175032f6025f27700ba1e9769d9b521f7ac695602eec","path":"lib/matchers/beenOptions.js","sha256":"2e234ce991b5fabe5c8735fcd197bee15d1d786f6d47449589eb7c6268c3bd39"},{"tlsh":"3c21e1a038c221625e74cfe0a5255429f593c733630295f3fafc46ca27971892553ede","path":"lib/matchers/beenTest.js","sha256":"a05dac6b1415bb35558eacf4d9e509e554a22735d8ca78d7ce73ecf0a2d6f6a8"},{"tlsh":"55e055f2c6706190156ae2b0c26fe8022cc7e234f52098a8c49e7f75850f4ef8588ca6","path":"lib/index.js","sha256":"0fc0a39702872371a847d6a1b6cc4f43c9ce25702335bbc336532ee608c3c2bd"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-test-mocks/MAL-2026-5928.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}