Malicious code in chai-utils-test (npm)
MAL-2026-5748
Published · Modified
Description
__
Source: amazon-inspector (64edd573a9e5fdef8dcde78f5b0c9fa00521f232b886be838104741d1e0535f7)
Package name 'chai-utils-test' impersonates the popular 'chai' assertion library and ships a cloned chai source tree. The declared main (index.js) calls a top-level launcher that spawns node lib/chai/utils/assertion.js as a detached child process with stdio:'ignore' and child.unref(), so the dropper survives the parent and produces no visible output. The child uses axios to GET https://statecheck.ddns.net/api/scanner.js (a dynamic-DNS host) with a base64-encoded key=YWRtaW46c2VjcmV0MTIz query parameter (likely a server-side gate for staged payload delivery), then runs the response body via new Function('require', s)(require) — granting the attacker-served code full Node require() access. The package also pre-installs a global.atob polyfill backed by Buffer.from(x,'base64').toString('utf8') in preparation for the fetched payload. Net effect: any developer or CI job that requires/imports this package executes attacker-controlled code from a mutable remote endpoint with full Node privileges.
References
- PACKAGE https://www.npmjs.com/package/chai-utils-test/v/4.5.5
- PACKAGE https://www.npmjs.com/package/chai-utils-test/v/4.5.3
- PACKAGE https://www.npmjs.com/package/chai-utils-test/v/4.5.2
- PACKAGE https://www.npmjs.com/package/chai-utils-test/v/4.5.0
- PACKAGE https://www.npmjs.com/package/chai-utils-test/v/4.5.4
- PACKAGE https://www.npmjs.com/package/chai-utils-test/v/4.5.1
Ready to move
Start Securing
Free, no credit card | First findings in minutes