chai-as-persisted @6.1.9

Summary

The package's postinstall script ( npm run smoke:pino ) executes index.js, which spawns a detached node lib/initializeCaller.js child. That module hides the C2 URL in base64 strings stored under a fabricated local process.env object (keys DEV_API_KEY , DEV_SECRET_KEY , DEV_SECRET_VALUE ) to defeat trivial string scanning. At install time it atob() -decodes the URL to https://www.ipregionchecker.org/api/ip-check-encrypted/3aeb34a37 , POSTs to it via axios, and passes the response body to new Function.constructor('require', response) , invoking it with require — executing attacker-controlled JavaScript with full Node module access on the installer's machine. The detached child.unref() keeps execution alive after npm install returns. The package name chai-as-persisted is a one-edit impersonation of the widely-used chai-as-promised ; the shipped code is unrelated to chai (it pretends to be a pino-style logger middleware in index.js) and the package description/keywords (logger/stream/json) further misrepresent its purpose. This is a deliberate install-time RCE dropper distributed via a typosquat against chai-as-promised.

Source: amazon-inspector (5cf9c49450e0fa0d47be1b6ae27991f844868ff6c435d2082948b5feae862709)