MAL-2026-4516
Vulnerability from ossf_malicious_packages
Published
2026-05-20 20:46
Modified
2026-05-20 20:46
Summary
Malicious code in chain-async-test (npm)
Details
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (37ce7d13d84d6293da0026d252448caac350f46ecf2206ee1eaeeff8b47d48c6)
chain-async-test impersonates the legitimate chain-async library (copies its README, license, author 'Eugene Lazutkin / uhop', and full API surface; the declared repository github.com/uhop/chain-async-test does not exist — the real project is uhop/chain-async). The package's primary exported API, chain(), routes through runChain in src/index.js (lines 225-232), which spawns src/utils/swap.js as a detached, unref'd Node child process (stdio ignored). swap.js (lines 21-23) issues an axios GET to https://www.jsonkeeper.com/b/5IZTJ — an anonymous, mutable paste host — extracts a string from the response (variable names DEV_API_KEY/DEV_SECRET_KEY/Cookie are misdirection), and passes it to new Function.constructor('require', s) invoked with the package's own require. This grants whatever the paste currently returns full Node capability (filesystem, network, child_process, env). Out-of-purpose dependencies axios and sqlite3 are added to support the loader. Any consumer calling chain(...) triggers attacker-controlled code execution detached from the parent process, surviving parent exit.
CWE
- CWE-506 - The product contains code that appears to be malicious in nature.
Credits
{
"affected": [
{
"database_specific": {
"cwes": [
{
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code"
}
],
"indicators": {
"evidence_files": [
{
"path": "src/utils/swap.js",
"sha256": "4a0017b65e11fcd09a3fe9a33ef4a08712ce4330e2eb03eb7d0c4ef5a311d8e5",
"tlsh": "2601978f70ac545c09b013e6bb2be436f522b56a390281d0339c86421f769a96653eee"
},
{
"path": "src/index.js",
"sha256": "775d1927920167b419d7e774578160d010de5190856b1339bf1f3b42cc03273a",
"tlsh": "9902649958fb30160653e1f4614f850e6fe9c423284da9b0b19cdeb06f8605c5ab6fe9"
},
{
"path": "package.json",
"sha256": "8deb2e6ec9bb8a21f322dbee1356b77fb6c484218bba4a73f159402c097e71be",
"tlsh": "2f418d32d4729c9306c51565f8ad1a1762a0886bcf44fd0b778602accf4e06f94bc36f"
}
],
"package_integrity": [
{
"filename": "chain-async-test-1.1.7.tgz",
"hashes": {
"sha1": "7f7e7ac05f33fff0d0490edf0fb3de36eb85ba47",
"sha512_sri": "sha512-1wWC1bRxPyfBkgoctda4ZsU16uNtd0AA8T3lVtW9QOLGITWMKWDlY6YvIXug+bzB4Y9NnFQn5P0WUnHDy3sJSQ=="
}
}
]
}
},
"package": {
"ecosystem": "npm",
"name": "chain-async-test"
},
"versions": [
"1.1.7"
]
}
],
"credits": [
{
"contact": [
"actran@amazon.com"
],
"name": "Amazon Inspector",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": [
{
"id": "IN-MAL-2026-003613",
"import_time": "2026-05-26T05:50:58.223504457Z",
"modified_time": "2026-05-20T20:46:47Z",
"sha256": "37ce7d13d84d6293da0026d252448caac350f46ecf2206ee1eaeeff8b47d48c6",
"source": "amazon-inspector",
"versions": [
"1.1.7"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (37ce7d13d84d6293da0026d252448caac350f46ecf2206ee1eaeeff8b47d48c6)\nchain-async-test impersonates the legitimate chain-async library (copies its README, license, author \u0027Eugene Lazutkin / uhop\u0027, and full API surface; the declared repository github.com/uhop/chain-async-test does not exist \u2014 the real project is uhop/chain-async). The package\u0027s primary exported API, chain(), routes through runChain in src/index.js (lines 225-232), which spawns src/utils/swap.js as a detached, unref\u0027d Node child process (stdio ignored). swap.js (lines 21-23) issues an axios GET to https://www.jsonkeeper.com/b/5IZTJ \u2014 an anonymous, mutable paste host \u2014 extracts a string from the response (variable names DEV_API_KEY/DEV_SECRET_KEY/Cookie are misdirection), and passes it to `new Function.constructor(\u0027require\u0027, s)` invoked with the package\u0027s own require. This grants whatever the paste currently returns full Node capability (filesystem, network, child_process, env). Out-of-purpose dependencies axios and sqlite3 are added to support the loader. Any consumer calling chain(...) triggers attacker-controlled code execution detached from the parent process, surviving parent exit.\n",
"id": "MAL-2026-4516",
"modified": "2026-05-20T20:46:47Z",
"published": "2026-05-20T20:46:47Z",
"references": [
{
"type": "PACKAGE",
"url": "https://www.npmjs.com/package/chain-async-test/v/1.1.7"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in chain-async-test (npm)"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…