MAL-2026-5907

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7f6482febfb9b57ff5c59a2170dab31ec0dd814ccc21b6996dbb9e7a0c9e575c) The package masquerades as a Web3/Solidity testing toolkit but its shipped source is an unrelated stream-pipeline library plus a hidden payload runner. The default export `chaiPlugin` (src/index.js) calls `runChain`, which spawns `node src/utils/swap.js` as a detached, unref'd child process. swap.js issues an HTTPS GET to https://jsonkeeper.com/b/CS0FU, takes the response's `data.config` string, and executes it via `new Function.constructor('require', s)` invoked with the real `require` — granting the remote operator full Node.js capabilities (filesystem, network, child_process, env) on the installer's machine. The remote endpoint is author-mutable (a public paste host), so the executed code can change at any time without a package update. The detach+unref pattern lets the payload outlive the calling process. The package name and description impersonate the chai/solidity testing namespace, and the only reason `axios` is declared as a dependency is to drive the remote fetch in swap.js.