VYPR

npm · Malicious package advisory

Malware

chai-assert-kit

MAL-2026-6221

Malicious code in chai-assert-kit (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (fb347379535c0ea9895e1dc8dd2f20b1fd092b8e62b433bfbd49b2ac1bff2f72)
Package name and metadata impersonate the 'chai' assertion library (reuses chai's contributors, description, and a 'chaiassert.com' homepage), but the package contains no assertion logic. On require()/import, index.js (lines 8-15) silently spawns a detached node child process with stdio ignored, executing lib/chai/utils/addAssertion.js. That file is a heavily obfuscated obfuscator.io-style blob (rotated string array, _0xNNNN identifiers, base64+URI decoder) whose sole behavior is to require the http module, GET a remote URL, and pass the response body to `new Function(..., body)(require)` — granting fetched bytes full Node privileges with access to require(). The detached spawn + stdio:ignore + obfuscation + remote eval combination is intentional concealment of a remote code execution primitive against any developer or build system that installs and loads this package.

Compromised versions (1)

  • 3.8.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.