chain-guardian @1.1.0
Vulnerability report · Last retrieved from osv.dev July 14, 2026 at 5:45 AM UTC
OSV ID
MAL-2026-10433
Ecosystem
npm
Summary
chain-guardian presents itself as a mocha gas reporter (typosquatting eth-gas-reporter) but its main entry index.js contains an always-true gate ( var opt = 1; if (!opt) {... } else {... } ) that forces construction of the reporter to invoke utils.connectNet. connectNet resolves lib/syncResolve.js and spawns it via spawn('node', [u_src], { detached: true, stdio: ['ignore'] }) followed by progs.unref() , so the child continues running after mocha exits with its output suppressed. lib/syncResolve.js fetches http://check-server-state.vercel.app/server/v2 over plaintext HTTP and, on a 404 response whose body carries a token field, passes that field to new Function('require', error.response.data.token) and invokes the resulting function with the real require , giving the remote host arbitrary code execution in the developer or CI Node process. A duplicate benign Gas reporter function is defined but never exported, serving as cover for the dropper path.
Source: amazon-inspector (1c281292766d55cda3ff1b006154150aa05d567a4f8115534788ffbbc014f3e7)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.