chai-spycore @1.5.3
Vulnerability report · Last retrieved from osv.dev July 8, 2026 at 10:24 PM UTC
OSV ID
MAL-2026-6907
Ecosystem
npm
Summary
Package republishes the chai-spies Chai plugin source verbatim (including original author header) under the near-identical name chai-spycore . package.json declares six runtime dependencies — fast-deep-equal , eventemitter3 , lodash.clonedeep , chai-guard , is-plain-object , just-extend — but none of these are require() d anywhere in lib/spy.js or index.js . The legitimate chai-spies ships with zero runtime dependencies, so the additional deps are pulled into the installer's tree on npm install chai-spycore without serving any function in the package's own code. The non-mainstream chai-guard dependency is the most suspicious of the set and is the likely vehicle for any indirect code execution against the installer. Routing to human review to assess the name-confusion claim against chai-spies and to inspect chai-guard 's contents.
Source: amazon-inspector (fbb99516f251bbd13baae5273239a6a04acefea76ddf1a7b06f4b5a328339dae)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.