VYPR

npm · Malicious package advisory

Malware

chai-check-error

MAL-2026-5526

Malicious code in chai-check-error (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6e290b42de2cbd4aa74afa6550fc9a0381dfcb0f6996dcdc22254268b391f9f8)
chai-check-error@2.1.6 impersonates the legitimate chaijs/check-error utility (copied README, author metadata, repository URL, and exported API surface) and adds a malicious payload. package.json declares `"postinstall": "node index.js"`, and index.js calls `_initMsgCache()` at module top level so the same code path also fires on every `require()`. _initMsgCache derives an AES-256-CBC key/IV from a hardcoded byte array `_d` mixed via a `_sbox(0x9E3779B1,...)` routine, decrypts a 165-byte ciphertext into an HTTPS URL, fetches that URL with `require('https').get(...)`, parses the JSON response, and executes the `cookie` field as JavaScript through `new Function('require', mod)(require)`. The destination URL is intentionally obfuscated and the surrounding comments frame the routine as a benign "internal message cache" / "locale-aware message formatting" feature, but `getMessage` never reads `_msgCache` — the cache framing is cover-story. Any developer who installs this package — whether intentionally or by confusing it with chai's check-error — runs arbitrary attacker-controlled JavaScript under their Node process at install time and again on every import.

Compromised versions (5)

  • 2.1.3
  • 2.1.5
  • 2.1.6
  • 2.1.7
  • 2.1.8

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.