npm

assertion-utils-js @2.4.3

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:50 AM UTC

Malicious

OSV ID

MAL-2026-10612

Ecosystem

npm

Summary

assertion-utils-js is a typosquat of chai (name, description, and keywords mirror the real package). On require(), index.js spawns a detached Node child process that runs lib/chai/utils/assertion.js in the background with stdio ignored. That file is heavily string-array obfuscated (obfuscator.io style: rotated _0x1b90 token array plus a custom base64+URI _0x2dd2 decoder with parseInt-checksum rotation, hex-named identifiers) and its runtime behavior is to reconstruct a URL from the decoded string array, call https.get to fetch a remote response body, then pass that body to new Function("require", body) and invoke the resulting function with require in scope. The obfuscation exists to hide the fetch destination from static inspection; the fetched code executes with full Node module privileges on every load of the package.

Source: amazon-inspector (311d22d9694863456136cf4f8b69a291fdbb631eda56bafca1959e0c184774a1)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.