MAL-2026-6365

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (4bd2844909a6dd6db77af2d47b2d9a16ff126d892998282f4df4c7ed1f61a4af) Package `assertcore` impersonates the popular `chai` assertion library (ships a copy of chai source as cover; author and homepage differ from the genuine project). On `require('assertcore')` / `import 'assertcore'`, `index.js` spawns a detached `node` subprocess running `lib/chai/utils/addAssertion.js` with stdio set to ignore: `const chaiBinding = spawn("node", [addAssertion, JSON.stringify(args)], {detached: true, stdio: "ignore"})`. The spawned script is heavily obfuscated using obfuscator.io string-array rotation, a base64-with-substitution decoder, and hex-arithmetic indexing to hide that it `require`s http(s), performs a GET to a URL assembled from obfuscated literals, and passes the response body into `new Function('require', body)(require)` — executing attacker-supplied JavaScript with full Node privileges on every install or require. The combination of name impersonation, chai-source cover, detached/silenced subprocess, obfuscated network destination, and import-time fetch-and-eval is an unambiguous supply-chain attack on installers.