registry  /  chai-redirection  /  0.0.4

chai-redirection@0.0.4

chai-redirection

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6995 confirms this npm version as malicious. chai-redirection presents itself as a chai assertion plugin but its main entry (index.js) unconditionally spawns a detached Node child process running lib/caller.js the moment the package is required. caller.js issues an HTTPS GET to https://www.jsonkeeper.com/b/PC5CK (a mutable pastebin-style host) and passes the response body's `cookie` field to `new Function('require', res.data.cookie)(require)`, executing...

Advisory
MAL-2026-6995
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chai-redirection (npm)
Details
chai-redirection presents itself as a chai assertion plugin but its main entry (index.js) unconditionally spawns a detached Node child process running lib/caller.js the moment the package is required. caller.js issues an HTTPS GET to https://www.jsonkeeper.com/b/PC5CK (a mutable pastebin-style host) and passes the response body's `cookie` field to `new Function('require', res.data.cookie)(require)`, executing attacker-controlled JavaScript in the installer's Node process with full `require` access. A secondary code path builds a URL from lib/config values, and on a 404 response whose body carries a `token` field, constructs `new Function.constructor('require', res.token)` and invokes it with `require` — a second remote-code-execution channel. The advertised chai plugin API (validJWT, safeString, etc.) is a cover story: the loader runs before any exports are used, so merely requiring this package as a chai plugin triggers remote code execution. The mutable pastebin source means today's payload can be replaced with anything at any time without republishing the package.
Decision reason
OpenSSF Malicious Packages via OSV confirms chai-redirection@0.0.4 as malicious (MAL-2026-6995): Malicious code in chai-redirection (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory