MAL-2026-4512

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (949b90bd3c157955d029f9ea08bc32aea893e452c4ded78df98b80c1b831be76) Package name 'chai-as-repaired' is a 1-edit typosquat of the popular 'chai-as-promised' chai plugin (>1M weekly downloads). The published code is unrelated to the advertised purpose: it ships pino-logger-derived source with mismatched metadata (description='vulnerability management', keywords=['logger','stream']). The exported middleware factory in index.js invokes runJobA, which at lines 32-39 calls `spawn('node', [script, JSON.stringify(args)], { detached: true, stdio: 'ignore' })` followed by `child.unref()` — a detached, output-suppressed child process designed to outlive the parent on every consumer invocation. The spawned script `./lib/caller.js` is absent from this version, so the spawn fails silently in 5.32.9, but the loader scaffold is in place. Separately, lib/const.js declares `DEV_API_KEY` whose value base64-decodes to `https://api.jsonstorage.net/v1/json/2ef8c758-a96f-459e-b036-b3b90379a165/a179ea35-b962-4722-b3f1-e28316d1a44a` — an anonymous public JSON-store endpoint commonly abused as mutable C2, deliberately named to look like a credential rather than a URL. The combination of typosquat name + purpose/metadata mismatch + detached-child stager + hidden base64-encoded anonymous-JSON-store endpoint is a coherent attack scaffold awaiting the missing payload file.

## Source: ghsa-malware (6200ca18f04d2ebd704bc9ed0c91ec7e338ca315a3b42d71158a66bafdea7ba2) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.