assertcoreutils @2.3.3
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10491
Ecosystem
npm
Summary
assertcoreutils impersonates the popular chai assertion library: the README, the chai keyword, the lib/chai/ directory layout, and lib/chai.js are copied verbatim from chai. When a consumer runs require('assertcoreutils') , index.js calls child_process.spawn('node', ['lib/chai/utils/addAssertion.js',...], { detached: true, stdio: 'ignore' }) followed by .unref() , launching a hidden, detached child that survives the parent and produces no console output. lib/chai/utils/addAssertion.js is encoded with obfuscator.io string-array / RC4-base64 obfuscation (hex-named identifiers _0x2ff01b , _0x516b , etc.) that hides a hardcoded HTTPS URL plus query-key; the child performs an HTTPS GET to that URL and passes the response body into new Function('require', body)(require) , giving the remote operator arbitrary Node-level code execution on every installer. The combination of typosquat lure, copied legitimate package contents as cover, obfuscated remote URL, detached silent child, and runtime new Function over fetched bytes is a supply-chain dropper.
Source: amazon-inspector (1e53b085bfe045b4aeabe9ad77e1066ab0883f27304197377681191c3118b780)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.