MAL-2026-5900

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3ed93b06c95c42e3183b89e5fb1d9dea3f711bb20d766861c8d16b8d17f17cc9) Package name `chai-as-decrypted` mimics the popular `chai-as-promised`, and the README impersonates `pino` (uses pino's npm badges and links to github.com/pinojs/pino). On `npm install`, the `postinstall` hook runs `npm run smoke:pino` → `node./index.js`, whose top-level `runBackgroundTask()` spawns a detached `node lib/initializeCaller.js`. That file shadows the global `process` with a local object whose `env.DEV_API_KEY` is a base64 string; it `atob`-decodes the value to https://www.ipregionchecker.org/api/ip-check-encrypted/3aeb34a37, POSTs to it via axios, and executes the HTTP response body with `new Function.constructor("require", response)(require)` — arbitrary remote JavaScript run with full `require` access on the installer's machine, retried 5 times. The base64 hiding of the endpoint and headers behind a fake `process.env` has no legitimate purpose and is solely to evade static scanners. This is a deliberate install-time remote code execution attack against developers who mistype `chai-as-promised`.