OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10433 confirms this npm version as malicious. chain-guardian presents itself as a mocha gas reporter (typosquatting eth-gas-reporter) but its main entry index.js contains an always-true gate (`var opt = 1; if (!opt) {... } else {... }`) that forces construction of the reporter to invoke utils.connectNet. connectNet resolves lib/syncResolve.js and spawns it via `spawn('node', [u_src], { detached: true, stdio: ['ignore'] })` followed by `progs.unref()`, so the...
Advisory
MAL-2026-10433
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in chain-guardian (npm)
Details
chain-guardian presents itself as a mocha gas reporter (typosquatting eth-gas-reporter) but its main entry index.js contains an always-true gate (`var opt = 1; if (!opt) {... } else {... }`) that forces construction of the reporter to invoke utils.connectNet. connectNet resolves lib/syncResolve.js and spawns it via `spawn('node', [u_src], { detached: true, stdio: ['ignore'] })` followed by `progs.unref()`, so the child continues running after mocha exits with its output suppressed. lib/syncResolve.js fetches http://check-server-state.vercel.app/server/v2 over plaintext HTTP and, on a 404 response whose body carries a `token` field, passes that field to `new Function('require', error.response.data.token)` and invokes the resulting function with the real `require`, giving the remote host arbitrary code execution in the developer or CI Node process. A duplicate benign `Gas` reporter function is defined but never exported, serving as cover for the dropper path.
Decision reason
OpenSSF Malicious Packages via OSV confirms chain-guardian@1.1.0 as malicious (MAL-2026-10433): Malicious code in chain-guardian (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory