{"id":"MAL-2026-6219","summary":"Malicious code in chai-as-forgeted (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (b6b32b714919c755532ed3d2695d1966568c24878e9721a5d756896d81881020)\nPackage name impersonates the popular chai-as-promised assertion library, but its package.json description and keywords are copied from pino and the code is unrelated to chai. The package's main entry exports a middleware factory that spawns lib/caller.js as a detached node child process. lib/caller.js base64-decodes a hardcoded URL pointing at api.jsonstorage.net (a mutable third-party JSON storage service), GETs the JSON document, extracts the `cookie` field, and executes its contents via `new Function.constructor('require', s)(require)` with full access to `require`. The C2 URL and request headers are stored as base64 strings inside a locally redefined `process` object that shadows the real process global, then decoded with `atob` at runtime. Any consumer who installs and invokes the exported middleware triggers arbitrary attacker-controlled code execution; the attacker can rotate the payload served by the JSON storage endpoint at will.\n","modified":"2026-06-19T15:47:26.742009452Z","published":"2026-06-19T14:10:27Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-19T14:10:27Z","source":"amazon-inspector","id":"IN-MAL-2026-007065","versions":["9.24.6"],"sha256":"b6b32b714919c755532ed3d2695d1966568c24878e9721a5d756896d81881020","import_time":"2026-06-19T15:41:54.804687325Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-as-forgeted/v/9.24.6"}],"affected":[{"package":{"name":"chai-as-forgeted","ecosystem":"npm","purl":"pkg:npm/chai-as-forgeted"},"versions":["9.24.6"],"database_specific":{"indicators":{"package_integrity":[{"filename":"chai-as-forgeted-9.24.6.tgz","hashes":{"sha512_sri":"sha512-QD0MAM/tH4wen/cwZEPYwtuG2KMatHpoZwHNJKyirzP0wew4gkGDs6lMUF7n7cuzTSd+Cr5R5GrV7iiveIxzFQ==","sha1":"8dcc2abb4ef93b067275f49f1789d685ec1d6975"}}],"evidence_files":[{"tlsh":"1b01af9934fe541c015112e9171fa1326050e4673d86e6c83b4c87129fa667e6e93adf","path":"lib/caller.js","sha256":"37e9dde0f35864e2ea8dcd4c8b5324ef50e3798195d04c30ba6938352af702db"},{"tlsh":"7e019c60ce788e2304ed25824c2e0643b6659c139928fc1932d7512c0f9d9bf15bf25d","path":"package.json","sha256":"842a296220c20e1ad41ccff4bbaf394d574704b14b6731989b1d7f0708840a1c"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-forgeted/MAL-2026-6219.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}