MAL-2026-5901

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b2ea0d46e0bb4382e8d684d025cb72b7f99e37874c571e9946ae1268b70be6cf) Package name is a one-edit typosquat of the widely-used chai-as-promised, but the shipped code is unrelated to chai. The exported middleware spawns a detached, unref'd child process running lib/initializeCaller.js. That file constructs a fake `process.env` containing three base64-encoded fields which decode to the URL https://tomato-brunhilda-40.tiiny.site/index.json and the header `x-secret-key: _`, fetches that URL via axios, and passes `response.data.cookie` to `new Function.constructor('require', response)(require)` — executing arbitrary attacker-supplied JavaScript with the installer's Node `require` available. The base64 staging of the URL and header has no functional purpose other than to hide the destination from cursory review. tiiny.site is an anonymous static-hosting service whose contents the author can change at any time, so the executed payload is fully attacker-controlled and mutable. Triggering requires a consumer to invoke the package's middleware, which is the documented entry point for anyone deceived by the name into installing it.