OSV ID
MAL-2026-10426
Ecosystem
npm
Summary
chai-log@1.1.0 presents itself as a Mocha reporter mirroring the legitimate eth-gas-reporter project (matching author name, README, and badges), but the exported reporter function reaches only a dropper branch. In index.js, a dead-code guard ( var opt = 1; if (!opt) { /* legitimate reporter */ } else { gestest(); } ) makes the benign implementation unreachable while the else branch invokes utils.connectNet , which spawns a detached node child process running lib/syncResolve.js . That subprocess fetches JavaScript from https://testlog.edgeone.cool/data.json and executes the response via new Function.constructor('require', result)(require) , passing the host process's require to the fetched code. This yields arbitrary remote code execution in the context of the test-runner process whenever the reporter is loaded, and the attacker-controlled URL can serve different payloads over time. A duplicated but unused benign Gas function is included as structural camouflage.
Source: amazon-inspector (f8ffc5e8b4e25d2d7787eb9f3bb9607114e5e4290f0afe2350499b78d5f95642)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.