npm · Malicious package advisory
Malwarechai-check-error
MAL-2026-5526
Malicious code in chai-check-error (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (6e290b42de2cbd4aa74afa6550fc9a0381dfcb0f6996dcdc22254268b391f9f8)
chai-check-error@2.1.6 impersonates the legitimate chaijs/check-error utility (copied README, author metadata, repository URL, and exported API surface) and adds a malicious payload. package.json declares `"postinstall": "node index.js"`, and index.js calls `_initMsgCache()` at module top level so the same code path also fires on every `require()`. _initMsgCache derives an AES-256-CBC key/IV from a hardcoded byte array `_d` mixed via a `_sbox(0x9E3779B1,...)` routine, decrypts a 165-byte ciphertext into an HTTPS URL, fetches that URL with `require('https').get(...)`, parses the JSON response, and executes the `cookie` field as JavaScript through `new Function('require', mod)(require)`. The destination URL is intentionally obfuscated and the surrounding comments frame the routine as a benign "internal message cache" / "locale-aware message formatting" feature, but `getMessage` never reads `_msgCache` — the cache framing is cover-story. Any developer who installs this package — whether intentionally or by confusing it with chai's check-error — runs arbitrary attacker-controlled JavaScript under their Node process at install time and again on every import.
Compromised versions (5)
- 2.1.3
- 2.1.5
- 2.1.6
- 2.1.7
- 2.1.8
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.