npm

commonjs-assert @1.0.3

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 3:52 PM UTC

Malicious

OSV ID

MAL-2026-10676

Ecosystem

npm

Summary

The package name resembles Node.js's built-in assert module. On require(), index.js spawns a detached node child process against lib/chai/utils/assertion.js . That file is a single-line obfuscator.io-style bundle (rotated string array, custom-base64 decoder, hex-indexed accessors) whose runtime behavior is to require http / https , perform an HTTP GET against a URL reconstructed from the encoded string array, and pass the response body to new Function(..., body)(require) — remote content fetched at import time and executed with Node's require available. The obfuscation hides the destination URL from static inspection and shields the network-to-eval sink. Any project that requires or imports this package silently triggers arbitrary remote code execution on the installer's host.

Source: amazon-inspector (b7fa2454998144bffed3fc1e2d73046b8414179b59fb99d3339f2658e00637f7)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.