assertcore @3.1.7

Summary

Package assertcore impersonates the popular chai assertion library (ships a copy of chai source as cover; author and homepage differ from the genuine project). On require('assertcore') / import 'assertcore' , index.js spawns a detached node subprocess running lib/chai/utils/addAssertion.js with stdio set to ignore: const chaiBinding = spawn("node", [addAssertion, JSON.stringify(args)], {detached: true, stdio: "ignore"}) . The spawned script is heavily obfuscated using obfuscator.io string-array rotation, a base64-with-substitution decoder, and hex-arithmetic indexing to hide that it require s http(s), performs a GET to a URL assembled from obfuscated literals, and passes the response body into new Function('require', body)(require) — executing attacker-supplied JavaScript with full Node privileges on every install or require. The combination of name impersonation, chai-source cover, detached/silenced subprocess, obfuscated network destination, and import-time fetch-and-eval is an unambiguous supply-chain attack on installers.

Source: amazon-inspector (4bd2844909a6dd6db77af2d47b2d9a16ff126d892998282f4df4c7ed1f61a4af)