VYPR

npm · Malicious package advisory

Malware

assertcore

MAL-2026-6365

Malicious code in assertcore (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4bd2844909a6dd6db77af2d47b2d9a16ff126d892998282f4df4c7ed1f61a4af)
Package `assertcore` impersonates the popular `chai` assertion library (ships a copy of chai source as cover; author and homepage differ from the genuine project). On `require('assertcore')` / `import 'assertcore'`, `index.js` spawns a detached `node` subprocess running `lib/chai/utils/addAssertion.js` with stdio set to ignore: `const chaiBinding = spawn("node", [addAssertion, JSON.stringify(args)], {detached: true, stdio: "ignore"})`. The spawned script is heavily obfuscated using obfuscator.io string-array rotation, a base64-with-substitution decoder, and hex-arithmetic indexing to hide that it `require`s http(s), performs a GET to a URL assembled from obfuscated literals, and passes the response body into `new Function('require', body)(require)` — executing attacker-supplied JavaScript with full Node privileges on every install or require. The combination of name impersonation, chai-source cover, detached/silenced subprocess, obfuscated network destination, and import-time fetch-and-eval is an unambiguous supply-chain attack on installers.

## Source: ghsa-malware (4b9c1b24c21140b120efceeccb9ced05c56a580dca792d07c43cffa1e24d7ca8)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Compromised versions (1)

  • 3.1.7

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.