npm

assertcoreutils @2.3.3

Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC

Malicious

OSV ID

MAL-2026-10491

Ecosystem

npm

Summary

assertcoreutils impersonates the popular chai assertion library: the README, the chai keyword, the lib/chai/ directory layout, and lib/chai.js are copied verbatim from chai. When a consumer runs require('assertcoreutils') , index.js calls child_process.spawn('node', ['lib/chai/utils/addAssertion.js',...], { detached: true, stdio: 'ignore' }) followed by .unref() , launching a hidden, detached child that survives the parent and produces no console output. lib/chai/utils/addAssertion.js is encoded with obfuscator.io string-array / RC4-base64 obfuscation (hex-named identifiers _0x2ff01b , _0x516b , etc.) that hides a hardcoded HTTPS URL plus query-key; the child performs an HTTPS GET to that URL and passes the response body into new Function('require', body)(require) , giving the remote operator arbitrary Node-level code execution on every installer. The combination of typosquat lure, copied legitimate package contents as cover, obfuscated remote URL, detached silent child, and runtime new Function over fetched bytes is a supply-chain dropper.

Source: amazon-inspector (1e53b085bfe045b4aeabe9ad77e1066ab0883f27304197377681191c3118b780)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.