MAL-2026-10491
Malicious code in assertcoreutils (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (1e53b085bfe045b4aeabe9ad77e1066ab0883f27304197377681191c3118b780) assertcoreutils impersonates the popular `chai` assertion library: the README, the `chai` keyword, the `lib/chai/` directory layout, and `lib/chai.js` are copied verbatim from chai. When a consumer runs `require('assertcoreutils')`, index.js calls `child_process.spawn('node', ['lib/chai/utils/addAssertion.js',...], { detached: true, stdio: 'ignore' })` followed by `.unref()`, launching a hidden, detached child that survives the parent and produces no console output. `lib/chai/utils/addAssertion.js` is encoded with obfuscator.io string-array / RC4-base64 obfuscation (hex-named identifiers `_0x2ff01b`, `_0x516b`, etc.) that hides a hardcoded HTTPS URL plus query-key; the child performs an HTTPS GET to that URL and passes the response body into `new Function('require', body)(require)`, giving the remote operator arbitrary Node-level code execution on every installer. The combination of typosquat lure, copied legitimate package contents as cover, obfuscated remote URL, detached silent child, and runtime `new Function` over fetched bytes is a supply-chain dropper.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for assertcoreutils (npm). Pin to a known-safe version or switch to an alternative.