OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10491 confirms this npm version as malicious. assertcoreutils impersonates the popular `chai` assertion library: the README, the `chai` keyword, the `lib/chai/` directory layout, and `lib/chai.js` are copied verbatim from chai. When a consumer runs `require('assertcoreutils')`, index.js calls `child_process.spawn('node', ['lib/chai/utils/addAssertion.js',...], { detached: true, stdio: 'ignore' })` followed by `.unref()`, launching a hidden, detached child that...
Advisory
MAL-2026-10491
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in assertcoreutils (npm)
Details
assertcoreutils impersonates the popular `chai` assertion library: the README, the `chai` keyword, the `lib/chai/` directory layout, and `lib/chai.js` are copied verbatim from chai. When a consumer runs `require('assertcoreutils')`, index.js calls `child_process.spawn('node', ['lib/chai/utils/addAssertion.js',...], { detached: true, stdio: 'ignore' })` followed by `.unref()`, launching a hidden, detached child that survives the parent and produces no console output. `lib/chai/utils/addAssertion.js` is encoded with obfuscator.io string-array / RC4-base64 obfuscation (hex-named identifiers `_0x2ff01b`, `_0x516b`, etc.) that hides a hardcoded HTTPS URL plus query-key; the child performs an HTTPS GET to that URL and passes the response body into `new Function('require', body)(require)`, giving the remote operator arbitrary Node-level code execution on every installer. The combination of typosquat lure, copied legitimate package contents as cover, obfuscated remote URL, detached silent child, and runtime `new Function` over fetched bytes is a supply-chain dropper.
Decision reason
OpenSSF Malicious Packages via OSV confirms assertcoreutils@2.3.3 as malicious (MAL-2026-10491): Malicious code in assertcoreutils (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory