{"id":"MAL-2026-6994","summary":"Malicious code in chai-presentation (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (1d078bac337fe2c1b76c757c29d286fc750be585db65f30f5d696038c2ea0d3a)\nOn require(), index.js issues an HTTPS GET to https://www.jsonkeeper.com/b/PC5CK and passes the response's `cookie` field to `new Function('require',...)`, immediately invoking it with the host's `require`. This gives whoever controls that jsonkeeper.com paste full Node.js execution privileges on the installer's machine the moment any consumer imports the package. A second staged loader is wired in parallel: index.js top-level spawns a detached, stdio-ignored Node child running lib/caller.js, which polls a URL built from config values and, on a 404 response, passes `error.response.data.token` to Function.constructor and executes it with `require`. lib/const.js additionally stores a base64 string under `DEV_API_KEY` that decodes to https://jsonkeeper.com/b/4NAKK — a second anonymous paste-host URL hidden from plain-string scanning. The package name presents as a chai plugin but the README describes an unrelated package (`chai-submission`), and declared dependencies (axios, request, sqlite3) are unrelated to chai assertions — an impersonation lure wrapping two import-time remote-eval channels.\n","modified":"2026-07-09T16:31:54.174780512Z","published":"2026-07-08T16:35:25Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-008157","versions":["0.0.1"],"source":"amazon-inspector","modified_time":"2026-07-08T16:35:25Z","import_time":"2026-07-08T17:01:35.139009961Z","sha256":"854dd2b8a43d8936f153925a2af8ee8de5d18647149aeba69fb0329eaa461b93"},{"id":"IN-MAL-2026-009133","versions":["0.0.2"],"source":"amazon-inspector","modified_time":"2026-07-09T15:33:05Z","import_time":"2026-07-09T16:20:43.971784104Z","sha256":"1d078bac337fe2c1b76c757c29d286fc750be585db65f30f5d696038c2ea0d3a"},{"id":"IN-MAL-2026-009143","versions":["0.0.4"],"source":"amazon-inspector","modified_time":"2026-07-09T15:34:39Z","import_time":"2026-07-09T16:20:45.091611153Z","sha256":"e296151c365f329bd838069b98d7a0465a8e0bd4a8a880b49d7369de9fcd39a7"},{"id":"IN-MAL-2026-009144","versions":["0.0.3"],"source":"amazon-inspector","modified_time":"2026-07-09T15:34:46Z","import_time":"2026-07-09T16:20:45.212916558Z","sha256":"0402b794b3d59a9f4436dcc77f155ae7e0bbb1716b9117a4ecc700c62f0cfc99"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-presentation/v/0.0.1"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-presentation/v/0.0.2"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-presentation/v/0.0.4"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/chai-presentation/v/0.0.3"}],"affected":[{"package":{"name":"chai-presentation","ecosystem":"npm","purl":"pkg:npm/chai-presentation"},"versions":["0.0.1","0.0.2","0.0.4","0.0.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chai-presentation/MAL-2026-6994.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"tlsh":"e7d1c1a839a7a0188523b1f5097fa416e177a1172029d9d8b5ecc2d00fddee89523dfa","path":"index.js","sha256":"e007edbe8b5db9c0904ba7cbb3ee8d0013bb28273b3733b32ad9e641ca16c006"},{"tlsh":"8721245628fa31190726a8deca4bd4313426f5332626d0c0f69c87861fe789e96b77dc","path":"lib/caller.js","sha256":"e8a73ca951f7af5663bbbff07c9d57b43c1649109ddaf49a7364d2e5b300e8fa"},{"tlsh":"0c0145a4cc78dd7309da22a1982e4157a1619d074c18fc0e33e6422c8f8c86f21bea6d","path":"package.json","sha256":"bbb115ded260f2d6a9fc4c7b9404a837dcd83f3147719f78b9c22de07188076d"}],"package_integrity":[{"filename":"chai-presentation-0.0.1.tgz","hashes":{"sha1":"8e427038ff070bc0760db50772783101366319c2","sha512_sri":"sha512-M8CtXM0bZ2+zuPPFxL0nTmv/b+Dqw621rnBPIlR2mhZRLoefK4RnBSBzBKZrTVAec4fwJwoodhx1KyfOiwrmEw=="}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}