VDB
KO

MAL-2026-10676

Malicious code in commonjs-assert (npm)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b7fa2454998144bffed3fc1e2d73046b8414179b59fb99d3339f2658e00637f7) The package name resembles Node.js's built-in `assert` module. On require(), `index.js` spawns a detached `node` child process against `lib/chai/utils/assertion.js`. That file is a single-line obfuscator.io-style bundle (rotated string array, custom-base64 decoder, hex-indexed accessors) whose runtime behavior is to require `http`/`https`, perform an HTTP GET against a URL reconstructed from the encoded string array, and pass the response body to `new Function(..., body)(require)` — remote content fetched at import time and executed with Node's `require` available. The obfuscation hides the destination URL from static inspection and shields the network-to-eval sink. Any project that requires or imports this package silently triggers arbitrary remote code execution on the installer's host.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / commonjs-assert

No fixed version published yet for commonjs-assert (npm). Pin to a known-safe version or switch to an alternative.

References