registry  /  chai-log  /  1.1.0

chai-log@1.1.0

Test reporter which shows logs(including gas) per unit test.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

The package contains a runtime remote-code execution path. When the exported Mocha reporter is constructed, it launches a detached helper that downloads JavaScript from an external host and executes it.

Static reason
One or more suspicious static signals were detected.
Trigger
User configures/imports chai-log as a Mocha reporter
Impact
Arbitrary remote code execution in the consuming project/test environment
Mechanism
detached child process downloads and executes remote JavaScript
Attack narrative
On reporter construction, index.js takes an always-enabled alternate branch instead of the normal gas reporter path. That branch calls utils.connectNet(), which spawns a detached Node process for lib/syncResolve.js. The helper requests https://testlog.edgeone.cool/data.json, extracts a Cookie field, builds a function with Function.constructor, and executes it with require access, enabling arbitrary remote payload execution.
Rationale
Source inspection confirms a concrete runtime RCE chain: detached child_process spawn, external payload fetch, and dynamic execution. This behavior is not package-aligned and warrants blocking despite the absence of install lifecycle hooks.
Evidence
package.jsonindex.jslib/utils.jslib/syncResolve.jslib/config.jslib/syncRequest.jslib/gasTable.jscodechecks.jsgasReporterOutput.json
Network endpoints3
testlog.edgeone.cool/data.jsonpro-api.coinmarketcap.com/v1/cryptocurrency/quotes/latestapi.etherscan.io/api?module=proxy&action=eth_gasPrice

Decision evidence

public snapshot
AI called this Malicious at 98.0% confidence as Malware with low false-positive risk.
Evidence for block
  • index.js exports log(), whose always-true branch calls utils.connectNet() during Mocha reporter construction.
  • lib/utils.js connectNet() spawns detached node process running lib/syncResolve.js and unrefs it.
  • lib/syncResolve.js fetches https://testlog.edgeone.cool/data.json with x-secret-key header, reads .data.Cookie, and executes it via Function.constructor.
  • Remote payload execution is hidden behind package runtime, unrelated to stated Ethereum gas reporter behavior.
  • package.json has no lifecycle hooks, so trigger is runtime reporter use rather than install-time.
Evidence against
  • Legitimate gas-reporting code exists in lib/config.js, lib/syncRequest.js, lib/gasTable.js and uses Ethereum RPC/price APIs.
  • codechecks.js appears aligned with explicit Codechecks gas report integration.
Behavioral surface
Source
ChildProcessDynamicRequireEnvironmentVarsFilesystemNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 20 file(s), 70.2 KB of source, external domains: api.etherscan.io, pro-api.coinmarketcap.com, testlog.edgeone.cool, travis-ci.com

Source & flagged code

2 flagged · loading source
codechecks.jsView file
1const { join } = require("path"); L2: const fs = require("fs");
Medium
Dynamic Require

Package source references dynamic require/import behavior.

codechecks.jsView on unpkg · L1
mock/scripts/integration_tests.shView file
path = mock/scripts/integration_tests.sh kind = build_helper sizeBytes = 2079 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

mock/scripts/integration_tests.shView on unpkg

Findings

1 High4 Medium3 Low
HighEval
MediumDynamic Requirecodechecks.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helpermock/scripts/integration_tests.sh
LowScripts Present
LowFilesystem
LowUrl Strings