ethereum-gas-reporter @0.2.27
Vulnerability report · Last retrieved from osv.dev June 24, 2026 at 6:36 AM UTC
OSV ID
MAL-2026-6202
Ecosystem
npm
Summary
index.js line 144 contains require('chai-assert-kit') appended after the module's normal exports, with no other reference to chai-assert-kit anywhere in the package's source. The package's documented purpose is a Mocha gas usage reporter; chai-assert-kit has no functional role in that purpose. Because the require is at module top level, chai-assert-kit's top-level code executes in the consumer's process whenever ethereum-gas-reporter is loaded. Version 0.2.27 was published with no corresponding CHANGELOG entry — CHANGELOG.md ends at 0.2.26 (2023-09-29) — and the injection of the unrelated dependency is the only material code change relative to 0.2.26. This shape (silent unrelated dep added, no changelog, top-level require) matches an unauthorized publish that drops a malicious package into the dependency tree of every installer.
Source: amazon-inspector (7303c828115a527d477ea14684b3015e43fdcd36a7fa94041c16ccb3c2fbcfcc)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.