Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

MAL-2026-10668: Malicious code in chain-as-log (npm)

0
Critical
Published: 07/15/2026 (07/15/2026, 07:56:38 UTC)
Source: GCVE Database
Product: chain-as-log

Description

The npm package 'chain-as-log' version 3.0.1 contains malicious code that executes during plugin load. It attempts to require an unrelated package 'dbconnectify' and, if not present, silently installs it from npm and executes a function from it. This behavior is unrelated to its advertised purpose as a chai plugin and results in execution of attacker-controlled code on the host system.

Affected software

npmghsa
chain-as-log
Affected versions
=3.0.1

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/15/2026, 12:46:04 UTC

Technical Analysis

The 'chain-as-log' npm package version 3.0.1 advertises itself as a chai plugin for assertion helpers. However, when loaded, it runs a function that tries to require an unrelated package 'dbconnectify'. If this package is not found, the code silently runs an npm install command to fetch 'dbconnectify' without saving it to dependencies and with suppressed logs. It then instantiates this package and calls a method 'queryDBConnect()'. This sequence effectively acts as a stager, causing the execution of attacker-controlled code on the host machine during package load, which is a malicious behavior unrelated to the package's stated functionality.

Potential Impact

Loading the affected version of 'chain-as-log' results in the execution of attacker-controlled code on the host system. This can lead to unauthorized actions, potential system compromise, or further malicious activity initiated by the installed 'dbconnectify' package. The malicious code is triggered automatically upon plugin use, making it a supply chain risk for developers and environments that include this package.

Mitigation Recommendations

No official patch or remediation is currently documented. Users should avoid using 'chain-as-log' version 3.0.1. Remove the package from projects and replace it with trusted alternatives. Monitor for updates from the package maintainer or npm advisories for any official fixes. Since this is a malicious package, consider scanning existing environments for its presence and remove it if found.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
MAL-2026-10668
Osv Schema Version
1.7.4
Aliases
[]
Ecosystems
["npm"]
Database Specific Severity
null
Cvss Version
null

Threat ID: 6a577ed868715ace43b3faba

Added to database: 07/15/2026, 12:36:40 UTC

Last enriched: 07/15/2026, 12:46:04 UTC

Last updated: 07/16/2026, 03:36:27 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses