OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10612 confirms this npm version as malicious. assertion-utils-js is a typosquat of chai (name, description, and keywords mirror the real package). On require(), index.js spawns a detached Node child process that runs lib/chai/utils/assertion.js in the background with stdio ignored. That file is heavily string-array obfuscated (obfuscator.io style: rotated `_0x1b90` token array plus a custom base64+URI `_0x2dd2` decoder with parseInt-checksum rotation, hex-named...
Advisory
MAL-2026-10612
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in assertion-utils-js (npm)
Details
assertion-utils-js is a typosquat of chai (name, description, and keywords mirror the real package). On require(), index.js spawns a detached Node child process that runs lib/chai/utils/assertion.js in the background with stdio ignored. That file is heavily string-array obfuscated (obfuscator.io style: rotated `_0x1b90` token array plus a custom base64+URI `_0x2dd2` decoder with parseInt-checksum rotation, hex-named identifiers) and its runtime behavior is to reconstruct a URL from the decoded string array, call https.get to fetch a remote response body, then pass that body to `new Function("require", body)` and invoke the resulting function with `require` in scope. The obfuscation exists to hide the fetch destination from static inspection; the fetched code executes with full Node module privileges on every load of the package.
Decision reason
OpenSSF Malicious Packages via OSV confirms assertion-utils-js@2.4.3 as malicious (MAL-2026-10612): Malicious code in assertion-utils-js (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory