chai-as-regulatednpm

Package is published as chai-as-regulated, a name mimicking the widely-used chai-as-promised Chai plugin, and the README instructs users to register it via chai.use(chaiAsRegulated). The shipped code, however, does not implement a Chai plugin: the tarball contains Pino logger source files (lib/levels.js, lib/proto.js, lib/tools.js, lib/transport.js, docs referencing pinojs/pino), and the package.json description is unrelated boilerplate ("This document describes the management of vulnerabilities for the project and all modules within the organization."). The exported middleware in index.js (lines 32-50) calls runBackgroundTask, which uses child_process.spawn('node', [scriptPath, JSON.stringify(args)], { detached: true, stdio: 'ignore' }) followed by child.unref() to silently launch ./lib/initializeCaller.js as a detached background process passing caller-supplied arguments. The referenced initializeCaller.js is absent from this tarball, so no payload executes today, but the loader shape (typosquat name + identity lie + detached orphan-process spawner pointing at a sibling file) is structured for a future-version payload swap. The combination of name confusion against a popular target, copied unrelated source used as cover, and a silent background-launcher wired into the advertised API exceeds the bar for typosquat-with-payload-shape.