VDB
EN

MAL-2026-10426

Malicious code in chai-log (npm)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f8ffc5e8b4e25d2d7787eb9f3bb9607114e5e4290f0afe2350499b78d5f95642) chai-log@1.1.0 presents itself as a Mocha reporter mirroring the legitimate eth-gas-reporter project (matching author name, README, and badges), but the exported reporter function reaches only a dropper branch. In index.js, a dead-code guard (`var opt = 1; if (!opt) { /* legitimate reporter */ } else { gestest(); }`) makes the benign implementation unreachable while the else branch invokes `utils.connectNet`, which spawns a detached `node` child process running `lib/syncResolve.js`. That subprocess fetches JavaScript from https://testlog.edgeone.cool/data.json and executes the response via `new Function.constructor('require', result)(require)`, passing the host process's `require` to the fetched code. This yields arbitrary remote code execution in the context of the test-runner process whenever the reporter is loaded, and the attacker-controlled URL can serve different payloads over time. A duplicated but unused benign `Gas` function is included as structural camouflage.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / chai-log

No fixed version published yet for chai-log (npm). Pin to a known-safe version or switch to an alternative.

참고