MAL-2026-6221

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (fb347379535c0ea9895e1dc8dd2f20b1fd092b8e62b433bfbd49b2ac1bff2f72) Package name and metadata impersonate the 'chai' assertion library (reuses chai's contributors, description, and a 'chaiassert.com' homepage), but the package contains no assertion logic. On require()/import, index.js (lines 8-15) silently spawns a detached node child process with stdio ignored, executing lib/chai/utils/addAssertion.js. That file is a heavily obfuscated obfuscator.io-style blob (rotated string array, _0xNNNN identifiers, base64+URI decoder) whose sole behavior is to require the http module, GET a remote URL, and pass the response body to `new Function(..., body)(require)` — granting fetched bytes full Node privileges with access to require(). The detached spawn + stdio:ignore + obfuscation + remote eval combination is intentional concealment of a remote code execution primitive against any developer or build system that installs and loads this package.