MAL-2026-10668: Malicious code in chain-as-log (npm)
The npm package 'chain-as-log' version 3.0.1 contains malicious code that executes during plugin load. It attempts to require an unrelated package 'dbconnectify' and, if not present, silently installs it from npm and executes a function from it. This behavior is unrelated to its advertised purpose as a chai plugin and results in execution of attacker-controlled code on the host system.
AI Analysis
Technical Summary
The 'chain-as-log' npm package version 3.0.1 advertises itself as a chai plugin for assertion helpers. However, when loaded, it runs a function that tries to require an unrelated package 'dbconnectify'. If this package is not found, the code silently runs an npm install command to fetch 'dbconnectify' without saving it to dependencies and with suppressed logs. It then instantiates this package and calls a method 'queryDBConnect()'. This sequence effectively acts as a stager, causing the execution of attacker-controlled code on the host machine during package load, which is a malicious behavior unrelated to the package's stated functionality.
Potential Impact
Loading the affected version of 'chain-as-log' results in the execution of attacker-controlled code on the host system. This can lead to unauthorized actions, potential system compromise, or further malicious activity initiated by the installed 'dbconnectify' package. The malicious code is triggered automatically upon plugin use, making it a supply chain risk for developers and environments that include this package.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid using 'chain-as-log' version 3.0.1. Remove the package from projects and replace it with trusted alternatives. Monitor for updates from the package maintainer or npm advisories for any official fixes. Since this is a malicious package, consider scanning existing environments for its presence and remove it if found.
MAL-2026-10668: Malicious code in chain-as-log (npm)
Description
The npm package 'chain-as-log' version 3.0.1 contains malicious code that executes during plugin load. It attempts to require an unrelated package 'dbconnectify' and, if not present, silently installs it from npm and executes a function from it. This behavior is unrelated to its advertised purpose as a chai plugin and results in execution of attacker-controlled code on the host system.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 'chain-as-log' npm package version 3.0.1 advertises itself as a chai plugin for assertion helpers. However, when loaded, it runs a function that tries to require an unrelated package 'dbconnectify'. If this package is not found, the code silently runs an npm install command to fetch 'dbconnectify' without saving it to dependencies and with suppressed logs. It then instantiates this package and calls a method 'queryDBConnect()'. This sequence effectively acts as a stager, causing the execution of attacker-controlled code on the host machine during package load, which is a malicious behavior unrelated to the package's stated functionality.
Potential Impact
Loading the affected version of 'chain-as-log' results in the execution of attacker-controlled code on the host system. This can lead to unauthorized actions, potential system compromise, or further malicious activity initiated by the installed 'dbconnectify' package. The malicious code is triggered automatically upon plugin use, making it a supply chain risk for developers and environments that include this package.
Mitigation Recommendations
No official patch or remediation is currently documented. Users should avoid using 'chain-as-log' version 3.0.1. Remove the package from projects and replace it with trusted alternatives. Monitor for updates from the package maintainer or npm advisories for any official fixes. Since this is a malicious package, consider scanning existing environments for its presence and remove it if found.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-10668
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a577ed868715ace43b3faba
Added to database: 07/15/2026, 12:36:40 UTC
Last enriched: 07/15/2026, 12:46:04 UTC
Last updated: 07/16/2026, 03:36:27 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.