The 'chai-as-synced' package (version 6.0.3) is a malicious npm package designed to impersonate the legitimate 'chai-as-promised' package. Upon being required, it executes a detached, stdio-ignored Node.js child process running a script that decodes a base64-obfuscated URL and a secret key stored in a fake local environment object. It performs an HTTPS GET request to this URL, retrieves a 'cookie' field containing JavaScript code, and executes it using the Function constructor with require injected. This fetched code runs within the installer's Node process with full require access, allowing it to load and execute arbitrary modules. The use of obfuscation, detached child processes, and hidden stdio streams indicates a covert loader mechanism. The package's declared dependencies (sqlite3, request, axios) and keywords do not match its advertised functionality, further evidencing malicious intent.

The malicious code executes within the Node.js process of the user installing or requiring the package, with full access to the require function. This enables arbitrary code execution, potentially allowing attackers to run any code, access sensitive data, or compromise the host system. The covert nature of the loader and obfuscation techniques make detection difficult. There are no known exploits in the wild reported yet.

No official patch or remediation is currently available for this package. Users should avoid installing or using 'chai-as-synced' version 6.0.3. Verify package authenticity before installation, prefer official and well-maintained packages, and remove any instances of this malicious package from projects. Monitor dependency sources carefully to prevent supply chain compromise.