OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10676 confirms this npm version as malicious. The package name resembles Node.js's built-in `assert` module. On require(), `index.js` spawns a detached `node` child process against `lib/chai/utils/assertion.js`. That file is a single-line obfuscator.io-style bundle (rotated string array, custom-base64 decoder, hex-indexed accessors) whose runtime behavior is to require `http`/`https`, perform an HTTP GET against a URL reconstructed from the encoded string...
Advisory
MAL-2026-10676
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in commonjs-assert (npm)
Details
The package name resembles Node.js's built-in `assert` module. On require(), `index.js` spawns a detached `node` child process against `lib/chai/utils/assertion.js`. That file is a single-line obfuscator.io-style bundle (rotated string array, custom-base64 decoder, hex-indexed accessors) whose runtime behavior is to require `http`/`https`, perform an HTTP GET against a URL reconstructed from the encoded string array, and pass the response body to `new Function(..., body)(require)` — remote content fetched at import time and executed with Node's `require` available. The obfuscation hides the destination URL from static inspection and shields the network-to-eval sink. Any project that requires or imports this package silently triggers arbitrary remote code execution on the installer's host.
Decision reason
OpenSSF Malicious Packages via OSV confirms commonjs-assert@1.0.3 as malicious (MAL-2026-10676): Malicious code in commonjs-assert (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory