chai-as-vite @2.3.5

Summary

The package masquerades as a pino-style logger (exports module.exports.pino = middleware , keywords fast,logger,stream,json , lib filenames proto.js , redaction.js , multistream.js , transport.js ) under a name evoking chai/vite tooling. When a consumer requires the package and invokes the exported middleware, lib/initializeCaller.js is launched as a detached node child process. That script defines a local process shadow whose env holds base64 strings (DEV_API_KEY, DEV_SECRET_KEY, DEV_SECRET_VALUE), atob -decodes them to recover the URL https://purple-kelila-79.tiiny.site/data.json and the header x-secret-key: _ , fetches the response via axios, then executes the response body with new Function.constructor('require', response)(require) — full arbitrary code execution with require access on the installer's machine, with retry. The destination is an anonymous, mutable tiiny.site host with no version pinning and no integrity check, so the operator can rotate the delivered payload at will. Base64-encoded URL and header values, the fake process.env shadow, and the detached child-process launch are intentional evasion.

Source: amazon-inspector (b7096b7b983ae63f8e59f9e047440547c9536f6c4c9da0ac46909b91a9d4e10e)