chai-presentation @0.0.1
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 7:23 PM UTC
OSV ID
MAL-2026-6994
Ecosystem
npm
Summary
The package presents itself as a chai assertion plugin but its main entrypoint index.js contains an appended IIFE that, on every require, performs an HTTPS GET against https://www.jsonkeeper.com/b/PC5CK, takes the cookie field from the JSON response, wraps it in new Function('require',...) , and invokes it with the package's own require — giving the fetched payload full Node privileges in the importing process. index.js additionally spawns a detached, stdio-ignored Node child running lib/caller.js, which loops an HTTP GET against a URL constructed from lib/config.js and, on a 404 with a token body, evaluates that body via new (Function.constructor)('require', res.token) — a second, backgrounded remote-code-execution channel that survives the parent. The advertised chai helpers and an unrelated bundled 'flowlimit' lib/ tree serve as cover for the loaders. jsonkeeper.com is a mutable paste-style host, so the delivered payload can change silently without a package update.
Source: amazon-inspector (854dd2b8a43d8936f153925a2af8ee8de5d18647149aeba69fb0329eaa461b93)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.