chai-as-predicted @6.0.3

Summary

Package name 'chai-as-predicted' impersonates the popular 'chai-as-promised' assertion library, but ships unrelated code disguised as pino logger internals. The exported middleware in index.js spawns a detached background Node process running lib/initializeCaller.js as soon as a consumer invokes it. lib/initializeCaller.js base64-decodes a hardcoded URL (https://amethyst-lorrin-26.tiiny.site/index.json) and a custom 'x-secret-key' header, performs an HTTP GET with retries, and passes the response body's.data.cookie field to new Function.constructor('require', response) which is then invoked with the real require — executing attacker-controlled JavaScript with full Node privileges on the installer's machine. The C2 URL and headers are stored as base64 strings inside a fake process.env object and decoded with atob() at runtime to evade plaintext URL scanning. The destination is an anonymous free-hosting domain with mutable, unauthenticated content. Consumers tricked by the typosquat name into requiring this package and calling its middleware will execute arbitrary remote code.

Source: amazon-inspector (fd7a2ff71dd341d02986c8185ea9eb18196b782f0efd9103859c0493c9f4cc78)