VDB
KO

MAL-2026-10612

Malicious code in assertion-utils-js (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (311d22d9694863456136cf4f8b69a291fdbb631eda56bafca1959e0c184774a1) assertion-utils-js is a typosquat of chai (name, description, and keywords mirror the real package). On require(), index.js spawns a detached Node child process that runs lib/chai/utils/assertion.js in the background with stdio ignored. That file is heavily string-array obfuscated (obfuscator.io style: rotated `_0x1b90` token array plus a custom base64+URI `_0x2dd2` decoder with parseInt-checksum rotation, hex-named identifiers) and its runtime behavior is to reconstruct a URL from the decoded string array, call https.get to fetch a remote response body, then pass that body to `new Function("require", body)` and invoke the resulting function with `require` in scope. The obfuscation exists to hide the fetch destination from static inspection; the fetched code executes with full Node module privileges on every load of the package.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / assertion-utils-js

No fixed version published yet for assertion-utils-js (npm). Pin to a known-safe version or switch to an alternative.

References