assert-kit @4.3.2
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6200
Ecosystem
npm
Summary
assert-kit@4.3.2 impersonates the chai assertion library (bundles chai's source, contributors, and API surface under a different author and homepage assertkit.com) and adds a remote-code execution backdoor. On require('assert-kit'), index.js calls validate_assert() at module top level, which spawns a detached node subprocess running lib/chai/utils/addAssertion.js with stdio:'ignore' and unref() so the child survives the consumer process. lib/chai/utils/addAssertion.js is heavily obfuscator.io-obfuscated; after string-array decoding it requires 'https', performs an https.get to a URL assembled from decoded strings, and passes the response body to new Function('require', body)(require) — running attacker-controlled JavaScript with full Node capabilities (filesystem, network, child_process, environment). Any project that installs and require()s this package executes whatever code the operator currently serves from the hardcoded endpoint, in a backgrounded process the user cannot easily see or terminate.
Source: amazon-inspector (6e21fa9c37e9944a00f7e85c7476f8fd4dc6bcd1f8fcd064a90488ef93d5bd12)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.