registry  /  chai-defender  /  1.0.0-beta.1

chai-defender@1.0.0-beta.1

Chai.js assertions for defender

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10050 confirms this npm version as malicious. On require('chai-defender'), index.js invokes launchDeflectBootstrap() which spawns a detached background node process running lib/caller.js. That process loads lib/initstate.js, which performs an HTTP GET against a hardcoded remote endpoint (http://check-server-state.vercel.app/server/v2) and passes the response body into `new Function('require', <response>)(require)`, executing attacker-controlled JavaScript with...

Advisory
MAL-2026-10050
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chai-defender (npm)
Details
On require('chai-defender'), index.js invokes launchDeflectBootstrap() which spawns a detached background node process running lib/caller.js. That process loads lib/initstate.js, which performs an HTTP GET against a hardcoded remote endpoint (http://check-server-state.vercel.app/server/v2) and passes the response body into `new Function('require', <response>)(require)`, executing attacker-controlled JavaScript with access to Node's require in the installer's process. The package presents itself as a Chai assertions plugin ('Security-focused Chai assertions'), but this fetch-and-exec behavior is unrelated to any assertion functionality. The lib/ directory is padded with files whose names mimic the pino logger project (multistream.js, transport.js, redaction.js, levels.js, symbols.js, worker.js) and reference a non-existent./flowlimit.js module; these files are not wired into index.js and appear to exist to make the package look substantial while the real payload is lib/const.js + lib/initstate.js. Plain HTTP transport additionally exposes the eval channel to in-path payload injection. Any project that requires this package hands remote code execution to whoever controls check-server-state.vercel.app.
Decision reason
OpenSSF Malicious Packages via OSV confirms chai-defender@1.0.0-beta.1 as malicious (MAL-2026-10050): Malicious code in chai-defender (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory