VYPR

npm · Malicious package advisory

Malware

chain-guardian

MAL-2026-10433

Malicious code in chain-guardian (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1c281292766d55cda3ff1b006154150aa05d567a4f8115534788ffbbc014f3e7)
chain-guardian presents itself as a mocha gas reporter (typosquatting eth-gas-reporter) but its main entry index.js contains an always-true gate (`var opt = 1; if (!opt) {... } else {... }`) that forces construction of the reporter to invoke utils.connectNet. connectNet resolves lib/syncResolve.js and spawns it via `spawn('node', [u_src], { detached: true, stdio: ['ignore'] })` followed by `progs.unref()`, so the child continues running after mocha exits with its output suppressed. lib/syncResolve.js fetches http://check-server-state.vercel.app/server/v2 over plaintext HTTP and, on a 404 response whose body carries a `token` field, passes that field to `new Function('require', error.response.data.token)` and invokes the resulting function with the real `require`, giving the remote host arbitrary code execution in the developer or CI Node process. A duplicate benign `Gas` reporter function is defined but never exported, serving as cover for the dropper path.

Compromised versions (1)

  • 1.1.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.