VYPR

npm · Malicious package advisory

Malware

check-error-util

MAL-2026-5527

Malicious code in check-error-util (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7c25cbbb904c18028cac363ba66eb89d91301bd3204a8347834e52387b4b575e)
On require/import, index.js executes a top-level resolveConfig() that reconstructs a URL from an XOR-obfuscated integer array, AES-256-CBC-decrypts it, fetches the URL over HTTPS, and runs the JSON `cookie` field of the response as JavaScript via `new Function('require', cookie)(require)`. This grants an attacker arbitrary Node code execution with full `require` access on any machine that loads the package. The URL is hidden behind a layered XOR + AES blob (getHashAddress → Buffer.from(...,'hex') → createDecipheriv('aes-256-cbc', key, iv)) with cover-story comments ('S-box substitution', 'address pipeline', 'service layer hydration') intended to evade static review — there is no legitimate reason for an error-comparison utility to ship encrypted remote URLs. The package also impersonates the legitimate chaijs `check-error` library: package.json copies the upstream author Jake Luer <jake@alogicalparadox.com>, the chaijs contributor list, and a repository URL pointing at chaijs/check-error, while the published name is `check-error-util` and the upstream loader code is absent from the real package.

Compromised versions (6)

  • 2.1.4
  • 2.1.6
  • 2.1.5
  • 2.1.7
  • 2.1.3
  • 2.1.8

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.