MAL-2026-6544

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5cf9c49450e0fa0d47be1b6ae27991f844868ff6c435d2082948b5feae862709) The package's postinstall script (`npm run smoke:pino`) executes index.js, which spawns a detached `node lib/initializeCaller.js` child. That module hides the C2 URL in base64 strings stored under a fabricated local `process.env` object (keys `DEV_API_KEY`, `DEV_SECRET_KEY`, `DEV_SECRET_VALUE`) to defeat trivial string scanning. At install time it `atob()`-decodes the URL to `https://www.ipregionchecker.org/api/ip-check-encrypted/3aeb34a37`, POSTs to it via axios, and passes the response body to `new Function.constructor('require', response)`, invoking it with `require` — executing attacker-controlled JavaScript with full Node module access on the installer's machine. The detached `child.unref()` keeps execution alive after `npm install` returns. The package name `chai-as-persisted` is a one-edit impersonation of the widely-used `chai-as-promised`; the shipped code is unrelated to chai (it pretends to be a pino-style logger middleware in index.js) and the package description/keywords (logger/stream/json) further misrepresent its purpose. This is a deliberate install-time RCE dropper distributed via a typosquat against chai-as-promised.