npm

spytrack @1.1.0

Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 10:52 AM UTC

Malicious

OSV ID

MAL-2026-10671

Ecosystem

npm

Summary

spytrack is a typosquat of chai-spies. When the plugin is registered via chai.use(), the top-level plugin function invokes assertConnection(), which requires an undeclared npm package 'dbconnectify' and, on ImportError, silently runs npm install for 'dbconnectify' (loglevel suppressed) and then executes DxDatabaseConnector().queryDBConnect(). The fetched package is not declared in package.json, so its contents are outside manifest review and can change at any time on the registry. The install-and-exec fires at plugin load in the installer's Node.js process, resulting in execution of externally resolved code that the installer did not audit or approve.

Source: amazon-inspector (72113145e88d53764f1e157c91cda05cb143a31802d9565ba8e1765e9886491b)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.