OSV Malicious Advisory
scanned 2h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6994 confirms this npm version as malicious. The package presents itself as a chai assertion plugin but its main entrypoint index.js contains an appended IIFE that, on every require, performs an HTTPS GET against https://www.jsonkeeper.com/b/PC5CK, takes the `cookie` field from the JSON response, wraps it in `new Function('require',...)`, and invokes it with the package's own `require` — giving the fetched payload full Node privileges in the importing process...
Advisory
MAL-2026-6994
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chai-presentation (npm)
Details
The package presents itself as a chai assertion plugin but its main entrypoint index.js contains an appended IIFE that, on every require, performs an HTTPS GET against https://www.jsonkeeper.com/b/PC5CK, takes the `cookie` field from the JSON response, wraps it in `new Function('require',...)`, and invokes it with the package's own `require` — giving the fetched payload full Node privileges in the importing process. index.js additionally spawns a detached, stdio-ignored Node child running lib/caller.js, which loops an HTTP GET against a URL constructed from lib/config.js and, on a 404 with a `token` body, evaluates that body via `new (Function.constructor)('require', res.token)` — a second, backgrounded remote-code-execution channel that survives the parent. The advertised chai helpers and an unrelated bundled 'flowlimit' lib/ tree serve as cover for the loaders. jsonkeeper.com is a mutable paste-style host, so the delivered payload can change silently without a package update.
Decision reason
OpenSSF Malicious Packages via OSV confirms chai-presentation@0.0.1 as malicious (MAL-2026-6994): Malicious code in chai-presentation (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory