When consumers register the Chai plugin, its Node entrypoint starts a detached subprocess. That subprocess loads `dbconnectify` and attempts a database connection outside the advertised spy functionality.
Static reason
No blocking static signals were detected.
Trigger
Runtime registration through `chai.use(require('chai-tracker'))`.
Impact
Concealed dependency-driven connection activity and background process creation in consumer environments.
Mechanism
Detached child-process execution of an inline database-connection payload.
Attack narrative
The Node entrypoint exports the Chai plugin implementation. During plugin registration, `lib/spy.js` unconditionally invokes `assertConnection`, which launches a detached Node child with ignored stdio. The child imports `dbconnectify` and invokes its connection routine, despite no documented relation to Chai spying. The added peer dependency supports this hidden runtime payload. The distributed browser bundle omits the code, further concealing the behavior from browser-oriented review.
Rationale
The package contains an undocumented, unconditionally triggered detached subprocess and database-connection payload unrelated to its stated testing utility. This is concrete malicious runtime behavior, not a benign testing primitive.
Evidence
index.jslib/spy.jspackage.jsonchai-tracker.jsREADME.md