MAL-2026-10612
Malicious code in assertion-utils-js (npm)
상세
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (311d22d9694863456136cf4f8b69a291fdbb631eda56bafca1959e0c184774a1) assertion-utils-js is a typosquat of chai (name, description, and keywords mirror the real package). On require(), index.js spawns a detached Node child process that runs lib/chai/utils/assertion.js in the background with stdio ignored. That file is heavily string-array obfuscated (obfuscator.io style: rotated `_0x1b90` token array plus a custom base64+URI `_0x2dd2` decoder with parseInt-checksum rotation, hex-named identifiers) and its runtime behavior is to reconstruct a URL from the decoded string array, call https.get to fetch a remote response body, then pass that body to `new Function("require", body)` and invoke the resulting function with `require` in scope. The obfuscation exists to hide the fetch destination from static inspection; the fetched code executes with full Node module privileges on every load of the package.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
No fixed version published yet for assertion-utils-js (npm). Pin to a known-safe version or switch to an alternative.