MAL-2026-6218

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (88e27467366a90f482eb47476458b1f74d5a41ac63371572e527f2e60e4e0b51) Package impersonates a pino-style logger (exports `module.exports.pino`, ships pino-like `DEFAULT_LEVELS`, keywords `fast/logger/stream/json`) but the exported middleware spawns a detached `node lib/initializeCaller.js` that fetches a JSON document from a hardcoded free file-hosting URL (https://amethyst-lorrin-26.tiiny.site/index.json) and executes the `cookie` field of the response via `new Function.constructor('require', response)(require)`, granting the remote payload full Node `require` access. The endpoint URL and request headers are base64-encoded inside fake `process.env`-named constants and decoded at runtime with `atob` to evade scanners; the fetch is retried 5 times. Any consumer who imports the package and invokes the middleware (or runs the package's smoke script) executes attacker-controlled code on the host. The package name and pino-mimicking API surface are a lure — `chai-as-attested` has no relation to chai-as-promised or to pino.