chai-as-built @6.0.3

Summary

chai-as-built masquerades as the pino logger (package.json keywords 'fast','logger','stream','json'; file layout lib/proto.js, lib/redaction.js, lib/transport.js, lib/multistream.js, lib/levels.js; export module.exports.pino = middleware ) while its name shadows the popular chai-as-promised. When a consumer imports the package and invokes the exported middleware, index.js spawns a detached node child process running lib/initializeCaller.js. That script base64-decodes a hardcoded URL (https://amethyst-lorrin-26.tiiny.site/index.json) hidden inside a fake process.env shadow object, GETs the JSON with a custom header, and passes the response's cookie field to new Function.constructor('require', response) , then invokes the resulting function with require — executing arbitrary attacker-supplied JavaScript with full Node privileges. The fetch is retried up to 5 times against a mutable anonymous tiiny.site host with no integrity check. The combination of typosquat/impersonation cover, base64 string concealment of the C2 endpoint, detached child-process execution, and dynamic Function-constructor evaluation of remote content is a textbook supply-chain dropper.

Source: amazon-inspector (469c5ebe97d1e69d080295000d723febbb06050f65aed9a0f44a76fd707c0b1e)