MAL-2026-6532: Malicious code in chai-as-assured (npm)
The npm package chai-as-assured impersonates the popular chai-as-promised package and contains malicious code that fetches and executes remote JavaScript with full Node.js privileges. This remote code execution occurs via a base64-decoded URL from a third-party host, dynamically executing the fetched payload with access to require, enabling filesystem, network, and process control. The malicious code uses obfuscation techniques to hide attacker infrastructure and evade casual review. The affected version is exactly 7.1.2.
AI Analysis
Technical Summary
chai-as-assured is a malicious npm package designed to impersonate chai-as-promised by matching its README, author, and API surface. When used, it asynchronously fetches a payload from a hardcoded, obfuscated URL and executes the 'cookie' field of the JSON response as JavaScript code using new Function with require passed in, granting full Node.js module privileges. The attacker infrastructure details (C2 URL and headers) are concealed via base64 strings in a fake local process.env object to evade detection. This results in an unambiguous remote code execution dropper targeting any project that installs and loads this plugin.
Potential Impact
Any project that installs and loads chai-as-assured version 7.1.2 is subject to remote code execution by the attacker-controlled payload. The executed code runs with full Node.js privileges, including filesystem, network, and child process access, which can lead to complete system compromise, data theft, or further malware deployment.
Mitigation Recommendations
No official patch or fix is currently available for chai-as-assured version 7.1.2. Users should immediately remove this package from their dependencies and replace it with the legitimate chai-as-promised package. Avoid installing packages that impersonate popular libraries and verify package authenticity before use. Monitor dependency sources carefully to prevent supply chain attacks.
MAL-2026-6532: Malicious code in chai-as-assured (npm)
Description
The npm package chai-as-assured impersonates the popular chai-as-promised package and contains malicious code that fetches and executes remote JavaScript with full Node.js privileges. This remote code execution occurs via a base64-decoded URL from a third-party host, dynamically executing the fetched payload with access to require, enabling filesystem, network, and process control. The malicious code uses obfuscation techniques to hide attacker infrastructure and evade casual review. The affected version is exactly 7.1.2.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
chai-as-assured is a malicious npm package designed to impersonate chai-as-promised by matching its README, author, and API surface. When used, it asynchronously fetches a payload from a hardcoded, obfuscated URL and executes the 'cookie' field of the JSON response as JavaScript code using new Function with require passed in, granting full Node.js module privileges. The attacker infrastructure details (C2 URL and headers) are concealed via base64 strings in a fake local process.env object to evade detection. This results in an unambiguous remote code execution dropper targeting any project that installs and loads this plugin.
Potential Impact
Any project that installs and loads chai-as-assured version 7.1.2 is subject to remote code execution by the attacker-controlled payload. The executed code runs with full Node.js privileges, including filesystem, network, and child process access, which can lead to complete system compromise, data theft, or further malware deployment.
Mitigation Recommendations
No official patch or fix is currently available for chai-as-assured version 7.1.2. Users should immediately remove this package from their dependencies and replace it with the legitimate chai-as-promised package. Avoid installing packages that impersonate popular libraries and verify package authenticity before use. Monitor dependency sources carefully to prevent supply chain attacks.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- MAL-2026-6532
- Osv Schema Version
- 1.7.4
- Aliases
- []
- Ecosystems
- ["npm"]
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a3ef79327e9c79719ff7b71
Added to database: 06/26/2026, 22:05:07 UTC
Last enriched: 06/26/2026, 22:18:35 UTC
Last updated: 06/26/2026, 22:18:35 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.