Package name 'chai-utils-test' impersonates the popular 'chai' assertion library and ships a cloned chai source tree. The declared main (index.js) calls a top-level launcher that spawns node lib/chai/utils/assertion.js as a detached child process with stdio:'ignore' and child.unref(), so the dropper survives the parent and produces no visible output. The child uses axios to GET https://statecheck.ddns.net/api/scanner.js (a dynamic-DNS host) with a base64-encoded key=YWRtaW46c2VjcmV0MTIz query parameter (likely a server-side gate for staged payload delivery), then runs the response body via new Function('require', s)(require) — granting the attacker-served code full Node require() access. The package also pre-installs a global.atob polyfill backed by Buffer.from(x,'base64').toString('utf8') in preparation for the fetched payload. Net effect: any developer or CI job that requires/imports this package executes attacker-controlled code from a mutable remote endpoint with full Node privileges.