Supply-chain threat intelligence

Incident detail

criticalnpm·obfuscation·osv

Malicious code in commonjs-assert (npm)

commonjs-assert

Risk score

92

AI summary

Indexed incident for commonjs-assert (npm).

Description

The package name resembles Node.js's built-in assert module. On require(), index.js spawns a detached node child process against lib/chai/utils/assertion.js. That file is a single-line obfuscator.io-style bundle (rotated string array, custom-base64 decoder, hex-indexed accessors) whose runtime behavior is to require http/https, perform an HTTP GET against a URL reconstructed from the encoded string array, and pass the response body to new Function(..., body)(require) — remote content fetched at import time and executed with Node's require available. The obfuscation hides the destination URL from static inspection and shields the network-to-eval sink. Any project that requires or imports this package silently triggers arbitrary remote code execution on the installer's host.

Technical details

Affected versions

=1.0.3

Indicators

  • affected version=1.0.375%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents