Supply-chain threat intelligence
Risk score
92
Indexed incident for commonjs-assert (npm).
The package name resembles Node.js's built-in assert module. On require(), index.js spawns a detached node child process against lib/chai/utils/assertion.js. That file is a single-line obfuscator.io-style bundle (rotated string array, custom-base64 decoder, hex-indexed accessors) whose runtime behavior is to require http/https, perform an HTTP GET against a URL reconstructed from the encoded string array, and pass the response body to new Function(..., body)(require) — remote content fetched at import time and executed with Node's require available. The obfuscation hides the destination URL from static inspection and shields the network-to-eval sink. Any project that requires or imports this package silently triggers arbitrary remote code execution on the installer's host.
Affected versions
Indicators
Timeline