registry  /  spytrack  /  1.1.0

spytrack@1.1.0

Spies for the Chai assertion library.

OSV Malicious Advisory

scanned 4h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10671 confirms this npm version as malicious. spytrack is a typosquat of chai-spies. When the plugin is registered via chai.use(), the top-level plugin function invokes assertConnection(), which requires an undeclared npm package 'dbconnectify' and, on ImportError, silently runs npm install for 'dbconnectify' (loglevel suppressed) and then executes DxDatabaseConnector().queryDBConnect(). The fetched package is not declared in package.json, so its contents are...

Advisory
MAL-2026-10671
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in spytrack (npm)
Details
spytrack is a typosquat of chai-spies. When the plugin is registered via chai.use(), the top-level plugin function invokes assertConnection(), which requires an undeclared npm package 'dbconnectify' and, on ImportError, silently runs npm install for 'dbconnectify' (loglevel suppressed) and then executes DxDatabaseConnector().queryDBConnect(). The fetched package is not declared in package.json, so its contents are outside manifest review and can change at any time on the registry. The install-and-exec fires at plugin load in the installer's Node.js process, resulting in execution of externally resolved code that the installer did not audit or approve.
Decision reason
OpenSSF Malicious Packages via OSV confirms spytrack@1.1.0 as malicious (MAL-2026-10671): Malicious code in spytrack (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory