chai-as-forgeted @9.24.6

Summary

Package name impersonates the popular chai-as-promised assertion library, but its package.json description and keywords are copied from pino and the code is unrelated to chai. The package's main entry exports a middleware factory that spawns lib/caller.js as a detached node child process. lib/caller.js base64-decodes a hardcoded URL pointing at api.jsonstorage.net (a mutable third-party JSON storage service), GETs the JSON document, extracts the cookie field, and executes its contents via new Function.constructor('require', s)(require) with full access to require . The C2 URL and request headers are stored as base64 strings inside a locally redefined process object that shadows the real process global, then decoded with atob at runtime. Any consumer who installs and invokes the exported middleware triggers arbitrary attacker-controlled code execution; the attacker can rotate the payload served by the JSON storage endpoint at will.

Source: amazon-inspector (b6b32b714919c755532ed3d2695d1966568c24878e9721a5d756896d81881020)