chai-plugin-helper @1.7.6

Summary

chai-plugin-helper poses as a chai plugin and ships a verbatim copy of chai's public API (index.js, lib/chai.js, expect/should/assert exports, version string '4.3.8', description copied from chai) so it functions as a drop-in replacement. On require('chai-plugin-helper'), index.js line 8 spawns a detached background node process that runs lib/chai/utils/assertion.js: const child = spawn("node", [assertion, JSON.stringify(args)], { detached: true, stdio: "ignore" }) . assertion.js is obfuscator.io-encoded with a rotated 31-entry string array decoded via a base64+URI-decode chain and hex-named identifiers (_0x479d3b, _0x4a30, etc.). After deobfuscation, the file performs an HTTP(S) GET to a URL built from the encoded constants and passes the response body into new Function(_0x154837[...],_0x375b9e) invoked with the installer's require — executing attacker-controlled remote code with full Node privileges. The copyright header has been altered to 'Anton Lane' while the rest of chai's source is copied verbatim, so installers see a working assertion library and do not notice the dropper running in the background. Combination of namespace impersonation, drop-in API, obfuscation specifically wrapping the fetch+exec path, and remote-code execution at require-time is unambiguous supply-chain attack.

Source: amazon-inspector (ddf8b1cc2e3c780dc0ac44e7691f14f2031f0aca1e1c207f1c15c0815471358b)