MAL-2026-5699

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ecc1472c1964a224051ad01d14dabfdfd3ca26d594fff02fb07192f423238691) The package advertises itself as a Web3.js testing toolkit but its content is copied from the legitimate chai-smart-assert library and a malicious dropper has been added. The main export `chaiPlugin` (src/index.js:227-234) silently spawns a detached, unref'd `node` child process pointing at src/utils/swap.js with stdio set to 'ignore', hiding all output. swap.js (lines 21-23) then fetches arbitrary JavaScript from https://www.jsonkeeper.com/b/AAON3 over axios with a custom `x-secret-key` header, retries 5x, and feeds the response body into `new Function.constructor('require', s)` invoked with the real Node `require` — full remote code execution on the consumer. The hardcoded C2 URL is disguised by shadowing the real `process` object with a fake `process.env` containing `DEV_API_KEY`/`DEV_SECRET_KEY`/`DEV_SECRET_VALUE` (swap.js:4-10), and console.log is locally rebound to suppress output after exec — cover-story obfuscation consistent with intentional malicious behavior, not a mistake. Repository URL github.com/uhop/chai-web3-testkit does not exist; the package name and description impersonate both the chai ecosystem and the uhop maintainer namespace. Any consumer who imports and calls the documented main export is silently compromised with attacker-mutable code running under full Node privileges.

## Source: ghsa-malware (08ecedb36b3feee0b20984ec8e0da248a8182e27d55eb1ed6fbcfdd26e7f325c) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.