{"id":"MAL-2026-6221","summary":"Malicious code in chai-assert-kit (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (fb347379535c0ea9895e1dc8dd2f20b1fd092b8e62b433bfbd49b2ac1bff2f72)\nPackage name and metadata impersonate the 'chai' assertion library (reuses chai's contributors, description, and a 'chaiassert.com' homepage), but the package contains no assertion logic. On require()/import, index.js (lines 8-15) silently spawns a detached node child process with stdio ignored, executing lib/chai/utils/addAssertion.js. That file is a heavily obfuscated obfuscator.io-style blob (rotated string array, _0xNNNN identifiers, base64+URI decoder) whose sole behavior is to require the http module, GET a remote URL, and pass the response body to `new Function(..., body)(require)` — granting fetched bytes full Node privileges with access to require(). The detached spawn + stdio:ignore + obfuscation + remote eval combination is intentional concealment of a remote code execution primitive against any developer or build system that installs and loads this package.\n","modified":"2026-06-19T15:47:26.813257209Z","published":"2026-06-19T15:00:48Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-19T15:41:55.343493912Z","modified_time":"2026-06-19T15:00:48Z","id":"IN-MAL-2026-007073","sha256":"fb347379535c0ea9895e1dc8dd2f20b1fd092b8e62b433bfbd49b2ac1bff2f72","versions":["3.8.1"],"source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-assert-kit/v/3.8.1"}],"affected":[{"package":{"name":"chai-assert-kit","ecosystem":"npm","purl":"pkg:npm/chai-assert-kit"},"versions":["3.8.1"],"database_specific":{"indicators":{"package_integrity":[{"filename":"chai-assert-kit-3.8.1.tgz","hashes":{"sha512_sri":"sha512-9cgSBjOPx039fxUHAqIPLDtFsHYGnxHN3PjEddXrLLlCyHR+bZU2YY8+eoSXHOJN5rUBsT8BjJkY+6GNpYhcMA==","sha1":"e56a9ead91d74c552dbf16dd790deb46280789e4"}}],"evidence_files":[{"path":"index.js","sha256":"e045f0b4ff409bcc00b1c2e74f687501740197295b26b41587f94c7d2f39c3d3","tlsh":"19f0dcfa02c1aa286d31bbf18007442623e3c172f24040a8fafd90d26657b835233cbd"},{"path":"lib/chai/utils/addAssertion.js","sha256":"3b357f9fe65878e583defafa3797dd69bc859c744705bc303c91c1c2e39d1033","tlsh":"2791fe8626c1798172479faf3a3a54d5d8598e82ffc404a3f61ab898fce4624d4c1bb4"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-assert-kit/MAL-2026-6221.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}