{"id":"MAL-2026-6497","summary":"Malicious code in chai-as-synced (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (7bc0ee3e6a8341e046b84880f9faf0a4750f4a261a791b95d1267066d7828071)\nPackage name 'chai-as-synced' impersonates the well-known 'chai-as-promised'. On require, index.js spawns a detached, stdio-ignored Node child running lib/initializeCaller.js. That script decodes a base64-obfuscated URL (https://amethyst-lorrin-26.tiiny.site/index.json) and an 'x-secret-key' header literal stored inside a fake local process.env object, performs an HTTPS GET to that anonymous static-hosting endpoint, and passes the returned 'cookie' field to new Function.constructor(...) invoked with require injected, retried up to 5 times. The fetched JavaScript runs in the installer's Node process with full require access. The destination obfuscation, detached/unref'd child, and hidden stdio together indicate a covert loader; the declared dependencies (sqlite3, request, axios) and package keywords do not match the advertised purpose.\n","modified":"2026-06-26T03:31:24.762021558Z","published":"2026-06-26T02:51:34Z","database_specific":{"malicious-packages-origins":[{"sha256":"7bc0ee3e6a8341e046b84880f9faf0a4750f4a261a791b95d1267066d7828071","import_time":"2026-06-26T03:14:43.456153823Z","modified_time":"2026-06-26T02:51:34Z","source":"amazon-inspector","id":"IN-MAL-2026-007582","versions":["6.0.3"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-as-synced/v/6.0.3"}],"affected":[{"package":{"name":"chai-as-synced","ecosystem":"npm","purl":"pkg:npm/chai-as-synced"},"versions":["6.0.3"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-as-synced/MAL-2026-6497.json","indicators":{"evidence_files":[{"tlsh":"6e019c60ce788e2304ed25824c2a064376619c13a928fc1932db512c0f9d5bf05ff26d","sha256":"3653595b1ec1c3c78d9489b77c5cc5f43370481807db71b2873d78cc1be56896","path":"package.json"},{"tlsh":"f111008d61fc200c056512e6b22f18116022e4273d4ad4e47adc83470f9627fbd536df","sha256":"2a41c6b7c5e256d70f884c613c6412ef73d86f8cd8a65afe6afb64fabaf4e022","path":"lib/initializeCaller.js"},{"tlsh":"0f318545b5f21259126d98c4f6b4a5263cdf9437331b76b1cded93952bce2080032bc7","sha256":"1f51184c197102444a2c8a23e4a8e54a6479750420512922fcb5d5f795c33911","path":"index.js"}],"package_integrity":[{"hashes":{"sha512_sri":"sha512-+p9JYFO2tMYylZTW6b71Y9N5u5sGHtz31+ampp7X86TOfJtSJZ/L2yoIKc7u/VW2zzWmkQPNiXD0N3ENL6vtxQ==","sha1":"23bd6fe3dd5432840fef212a69140478da55c017"},"filename":"chai-as-synced-6.0.3.tgz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}