MAL-2026-10433
Malicious code in chain-guardian (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (1c281292766d55cda3ff1b006154150aa05d567a4f8115534788ffbbc014f3e7) chain-guardian presents itself as a mocha gas reporter (typosquatting eth-gas-reporter) but its main entry index.js contains an always-true gate (`var opt = 1; if (!opt) {... } else {... }`) that forces construction of the reporter to invoke utils.connectNet. connectNet resolves lib/syncResolve.js and spawns it via `spawn('node', [u_src], { detached: true, stdio: ['ignore'] })` followed by `progs.unref()`, so the child continues running after mocha exits with its output suppressed. lib/syncResolve.js fetches http://check-server-state.vercel.app/server/v2 over plaintext HTTP and, on a 404 response whose body carries a `token` field, passes that field to `new Function('require', error.response.data.token)` and invokes the resulting function with the real `require`, giving the remote host arbitrary code execution in the developer or CI Node process. A duplicate benign `Gas` reporter function is defined but never exported, serving as cover for the dropper path.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for chain-guardian (npm). Pin to a known-safe version or switch to an alternative.