VYPR

npm · Malicious package advisory

Malware

chai-plugin-kit

MAL-2026-5906

Malicious code in chai-plugin-kit (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (26567b08d635c9b26d6befaba3dfc61a957bcf295cb321d03025b39bc54890ad)
Package republishes the chai source tree under the confusable name `chai-plugin-kit`. The package's main entry (`index.js`) spawns a detached, stdio-silenced `node` subprocess running `lib/chai/utils/addAssertion.js` on every `require('chai-plugin-kit')`. That file is heavily obfuscated with obfuscator.io transforms (rotated 31-entry string array `_0x4a30`, custom base64 decoder `_0x495d`, hex-named identifiers, control-flow flattening) hiding an https GET to an attacker-controlled URL whose response body is passed to `new Function('require', body)` and immediately invoked with the real `require` — granting attacker-controlled JavaScript full Node API access (filesystem, network, child_process, env). The detached + unref + `stdio:'ignore'` pattern is deliberate evasion to hide the child process from the consuming developer. A legitimate chai plugin has no reason to fetch and eval remote code.

Compromised versions (1)

  • 5.8.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.