chai-web3-testkit @1.0.1

Summary

The package advertises itself as a Web3.js testing toolkit but its content is copied from the legitimate chai-smart-assert library and a malicious dropper has been added. The main export chaiPlugin (src/index.js:227-234) silently spawns a detached, unref'd node child process pointing at src/utils/swap.js with stdio set to 'ignore', hiding all output. swap.js (lines 21-23) then fetches arbitrary JavaScript from https://www.jsonkeeper.com/b/AAON3 over axios with a custom x-secret-key header, retries 5x, and feeds the response body into new Function.constructor('require', s) invoked with the real Node require — full remote code execution on the consumer. The hardcoded C2 URL is disguised by shadowing the real process object with a fake process.env containing DEV_API_KEY / DEV_SECRET_KEY / DEV_SECRET_VALUE (swap.js:4-10), and console.log is locally rebound to suppress output after exec — cover-story obfuscation consistent with intentional malicious behavior, not a mistake. Repository URL github.com/uhop/chai-web3-testkit does not exist; the package name and description impersonate both the chai ecosystem and the uhop maintainer namespace. Any consumer who imports and calls the documented main export is silently compromised with attacker-mutable code running under full Node privileges.

Source: amazon-inspector (ecc1472c1964a224051ad01d14dabfdfd3ca26d594fff02fb07192f423238691)