VYPR
← All malware advisories

npm · Malicious package advisory

Malware

chai-test-mocks

MAL-2026-5928

Malicious code in chai-test-mocks (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (61a1bfd9f5d478d2cc7c947470544e99015a830dd5ecbb7ad8cdb54976c8d6ef)
chai-test-mocks impersonates the legitimate chai-jest-mocks package (replicated README, reused CircleCI/coveralls badges pointing at chai-jest-mocks) but overrides module.exports to a dropper rather than the documented plugin. lib/index.js exports `chain = require('./matchers/beenTest')` while the original `module.exports = chaiJestMock` is left commented out. When a consumer follows the documented usage `chai.use(require('chai-test-mocks'))`, the exported `genMock` invokes `connectNet` in lib/matchers/beenTest.js, which calls `spawn('node', [src, JSON.stringify(dopt)], { detached: true, stdio: ['ignore'] })` and `parmas.unref()` to launch lib/matchers/beenOptions.js as a detached, persistent child process. beenOptions.js performs an HTTPS GET to https://www.jsonkeeper.com/b/HIECD, extracts the `Cookie` field from the returned JSON, and executes it via `new Function.constructor('require', result)` invoked with the real `require`, giving the fetched code full Node module access on the installer's machine. Because jsonkeeper.com is mutable third-party JSON storage with no integrity check, the operator can swap arbitrary post-exploitation code at any time. The function also returns an Express-style `(req,res,next)=>next()` middleware to disguise the dropper as plumbing.

Compromised versions (1)

  • 1.2.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.