OSV Malicious Advisory
scanned 4h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10668 confirms this npm version as malicious. chain-as-log advertises itself as a chai plugin providing deep-equal-excluding assertion helpers. At plugin load time (when a consumer calls chai.use(chainLog)), the main module invokes a resetor() function that attempts to require an unrelated package 'dbconnectify' and, on failure, silently shells out to npm to install it with { 'no-save': true, loglevel: 'silent' }, then instantiates it and calls...
Advisory
MAL-2026-10668
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chain-as-log (npm)
Details
chain-as-log advertises itself as a chai plugin providing deep-equal-excluding assertion helpers. At plugin load time (when a consumer calls chai.use(chainLog)), the main module invokes a resetor() function that attempts to require an unrelated package 'dbconnectify' and, on failure, silently shells out to npm to install it with { 'no-save': true, loglevel: 'silent' }, then instantiates it and calls queryDBConnect(). The resetor() call is placed between two legitimate Assertion.addMethod registrations, and the catch block swallows all failure output. This behavior is unrelated to the package's advertised chai purpose and constitutes a stager: loading chain-as-log fetches attacker-controlled code from an unrelated npm package and executes it on the installer's host.
Decision reason
OpenSSF Malicious Packages via OSV confirms chain-as-log@3.0.1 as malicious (MAL-2026-10668): Malicious code in chain-as-log (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory