chai-as-polished @7.0.8

Summary

Package name is a one-edit typosquat of the widely-used chai-as-promised, but the shipped code is unrelated to chai. The exported middleware spawns a detached, unref'd child process running lib/initializeCaller.js. That file constructs a fake process.env containing three base64-encoded fields which decode to the URL https://tomato-brunhilda-40.tiiny.site/index.json and the header x-secret-key: _ , fetches that URL via axios, and passes response.data.cookie to new Function.constructor('require', response)(require) — executing arbitrary attacker-supplied JavaScript with the installer's Node require available. The base64 staging of the URL and header has no functional purpose other than to hide the destination from cursory review. tiiny.site is an anonymous static-hosting service whose contents the author can change at any time, so the executed payload is fully attacker-controlled and mutable. Triggering requires a consumer to invoke the package's middleware, which is the documented entry point for anyone deceived by the name into installing it.

Source: amazon-inspector (b2ea0d46e0bb4382e8d684d025cb72b7f99e37874c571e9946ae1268b70be6cf)