Importing the advertised assertion plugin unconditionally loads a large obfuscated module unrelated to Chai assertions. That module gathers machine identity data and includes filesystem, shell, cryptographic, dynamic-code, and HTTP-client capabilities.
Static reason
No blocking static signals were detected.
Trigger
Runtime import of `chai-as-promised-plus`.
Impact
Host data can be collected and commands or additional behavior can be executed outside the package's stated assertion-plugin purpose.
Mechanism
Obfuscated import-time host reconnaissance and remote-capable payload loader.
Attack narrative
The main entrypoint redirects module export to an obfuscated 3.5 MB configuration file. On import, that file loads OS, filesystem, path, shell-execution, HTTP, and cryptographic capabilities, constructs host/OS/username telemetry, and contains dynamic `Function` execution. These behaviors are unrelated to promise assertions and establish a concrete malicious runtime payload surface, even though no npm lifecycle hook is present.
Rationale
The package's real export path introduces obfuscated system reconnaissance and remote-capable execution primitives that are not required for Chai assertions. This is malicious import-time behavior, not a noisy static label.
Evidence
package.jsonlib/chai-as-promised-plus.jslib/config/config.js